Actions
Bug #8765
closed
Per-user firewall rules for IPsec do not work
Start date:
08/07/2018
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All
Description
The IPsec attribute code which processes firewall rules passed back through authentication is missing spaces, causing it to form invalid rules.
Fixed by PR https://github.com/pfsense/pfsense/pull/3942 which was merged a while ago
Updated by Jim Pingle about 6 years ago
- Status changed from Feedback to Resolved
- Assignee set to Jim Pingle
Looks good.
Added this to RADIUS user reply attributes:
Cisco-AVPair = "ip:inacl#1=permit tcp any any", Cisco-AVPair += "ip:outacl#1=permit tcp any any"
Connected to an xauth mobile VPN (rules won't work with EAP, different auth mechanism in strongSwan).
Rules file looks OK:
: cat ipsec_86068river.rules pass in quick on enc0 proto tcp from any to any no state pass out quick on enc0 proto tcp from any to any no state
pf loaded the rules OK:
: pfSsh.php playback pfanchordrill [...] ipsec rules/nat contents: ipsec/river rules/nat contents: pass in quick on enc0 proto tcp all no state pass out quick on enc0 proto tcp all no state [...]
Actions