Project

General

Profile

Actions

Feature #9206

closed

OpenVPN+RADIUS+Cisco AVPair ACL Enhancements/BugFixes

Added by Shawn Bruce over 5 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
OpenVPN
Target version:
Start date:
12/17/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Hello,

I've fixed a race condition where disconnecting and reconnecting a session when using AVPair ACLs would result in no rules being inserted.

Additionally I have added the following:
- Updated the ACL parser to support IP and ICMP protocol options
- Updated the ACL parser to support port operators.
- Added a template variable "{clientip}" that is replaced with the connecting clients VPN IP.

Actions #2

Updated by Jim Pingle about 5 years ago

  • Target version changed from 48 to 2.5.0
Actions #3

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Viktor Gurov almost 4 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20200414.0021

test radius attributes:

Cisco-AVPair = "ip:outacl#1=permit udp host 4.4.4.4 host 7.7.7.7 range 3110 5000",
Cisco-AVPair += "ip:outacl#2=permit tcp any host 7.7.7.7 gt 333",
Cisco-AVPair += "ip:inacl#1=permit udp host 3.3.3.3 host 7.7.7.7 lt 566",
Cisco-AVPair += "ip:inacl#2=permit udp host 3.3.3.3 host 7.7.7.7 neq 899",
Cisco-AVPair += "ip:inacl#3=permit tcp host 2.2.2.2 host 5.5.5.5 eq 999" 

# pfctl -a openvpn/ovpns1_testuser1_1194 -s rules
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
pass in quick on ovpns1 inet proto tcp from 2.2.2.2 to 5.5.5.5 port = garcon no state
Actions

Also available in: Atom PDF