Project

General

Profile

Actions

Bug #9307

closed

Virtual Address Pool in Pre-Shared Keys is not used

Added by Florian K. about 5 years ago. Updated about 5 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
02/06/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4_2
Affected Architecture:

Description

For most of my road warriors, I want to have different firewall rules than for e.g. me.
Therefore, I assigned a default Virtual Address Pool of 192.168.6.0/24 and for my account, I used 192.168.7.0/24

This is also added to ipsec.conf correctly. However, my (Windows 10) client still gets a 192.168.6.x IP.

Content of /var/etc/ipsec/ipsec.conf:

# This file is automatically generated. Do not edit
config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = 10.8.0.0/16
        rightsubnet = 10.8.0.0/16
        authby = never
        type = passthrough
        auto = route

conn con-mobile
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = yes

        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = clear
        dpddelay = 10s
        dpdtimeout = 60s
        auto = add
        left = 145.REMOVED...
        right = %any
        leftid = fqdn:test.REMOVED
        ikelifetime = 28800s
        lifetime = 3600s
        rightsourceip = 192.168.6.0/24
        rightdns = 10.8.1.11
        ike = aes256-sha384-ecp384!
        esp = aes256-sha256-ecp384,aes256-sha384-ecp384!
        eap_identity=%any
        leftauth=pubkey
        rightauth=eap-mschapv2
        leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
        leftsendcert=always
        leftsubnet = 10.8.0.0/16

conn mobile-1
        also = con-mobile
        eap_identity = email:REMOVED
        rightsourceip = 192.168.7.0/24
        rightid = email:REMOVED

What am I doing wrong or is there a bug? Thanks...

(See also Feature #8292)

Actions #1

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Not a Bug

Probably a configuration issue or it isn't matching the identifier as expected. Post on the forum unless a specific bug can be identified and replicated there.

Actions #2

Updated by Florian K. about 5 years ago

Additional observation:
- On the status page under "Leases", it shows both pools, but 192.168.7.0 is never used.
- I also tried 192.168.7.1/32, but this didn't work either.
- When I disable "virtual address pool" in "Mobile Clients", Windows 10 says: "Invalid Payload received".

Actions #3

Updated by Florian K. about 5 years ago

Jim Pingle wrote:

Probably a configuration issue or it isn't matching the identifier as expected. Post on the forum unless a specific bug can be identified and replicated there.

ok I'll try there

Actions

Also available in: Atom PDF