Project

General

Profile

Actions

Bug #8765

closed

Per-user firewall rules for IPsec do not work

Added by Jim Pingle about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/07/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

The IPsec attribute code which processes firewall rules passed back through authentication is missing spaces, causing it to form invalid rules.

Fixed by PR https://github.com/pfsense/pfsense/pull/3942 which was merged a while ago

Actions #1

Updated by Jim Pingle about 6 years ago

  • Status changed from Feedback to Resolved
  • Assignee set to Jim Pingle

Looks good.

Added this to RADIUS user reply attributes:

Cisco-AVPair = "ip:inacl#1=permit tcp any any",
Cisco-AVPair += "ip:outacl#1=permit tcp any any" 

Connected to an xauth mobile VPN (rules won't work with EAP, different auth mechanism in strongSwan).

Rules file looks OK:

: cat ipsec_86068river.rules 
pass in quick on enc0 proto tcp from any to any no state
pass out quick on enc0 proto tcp from any to any no state

pf loaded the rules OK:

: pfSsh.php playback pfanchordrill
[...]
ipsec rules/nat contents:

ipsec/river rules/nat contents:
pass in quick on enc0 proto tcp all no state
pass out quick on enc0 proto tcp all no state
[...]

Actions

Also available in: Atom PDF