Multiple IPSEC IkeV2 "access levels"
-
Guys, I have succesfully setup an IKEv2 VPN server on my pfsense box. I use it to connect my Iphone to my local LAN as well as send all internet traffic from my phone through VPN Tunnel so internet traffic goes via pfsense WAN.
Now, I'd like to go one step further: I'd like to have another Iphone to connect to this VPN but don't allow it to access my LAN, just Internet.
Is it possible to have 2 different "profiles" to the same IKEv2 Server on pfSense? First phone with access to LAN and Internet in the tunnel and the other client with access to Internet and not the LAN?
How to accomplish that?
please point me to the right direction here.
kind regards
-
You can't via IPsec.
The only way round this is to set up freeradius, get it to do your user auth and hand out specific IP addresses to the IPSec clients :-
https://forum.pfsense.org/index.php?topic=140639.msg768291#msg768291
You then need to modify your firewall rules to suit the client on the IPSec tab.
"andy" Cleartext-Password := "XXXXXXXXXX", Simultaneous-Use := "1", NAS-Identifier == strongSwan
Framed-IP-Address = 172.16.9.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Route = "0.0.0.0/0 172.16.0.1 1"The NAS-Identifier == strongSwan stops the user using their details for WPA Enterprise logins.
-
Thanks. It worked perfectly!
The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.
Before Radius loginn, IPSEC widget showed active connections based on Virtual IPs provided by IPsec mobile clients. From the point I set up freeRADIUS to set client's IP this information is missing and I have no place to see which users are logged in.
Am I missing something?The NAS-Identifier == strongSwan stops the user using their details for WPA Enterprise logins.
This is not clear to me. What's the difference with this additional NAS-Identifier==stringSwan?
BTW, it's NAS-Identifier == strongSwan or NAS-Identifier == "strongSwan"kind regards
-
Thanks. It worked perfectly!
The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.
This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan
Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs.
RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan.
You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn.
2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827
User-Name = "andy"
NAS-IP-Address = 172.16.1.11
NAS-Port = 0
Framed-IP-Address = 172.16.2.41
Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius"
Calling-Station-Id = "D0-4F-7E-85-D9-BE"
NAS-Identifier = "802aa8969d8c"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Start
Acct-Session-Id = "5A44C1A4-0000000F"
Acct-Authentic = RADIUS
Connect-Info = "CONNECT 0Mbps 802.11b"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014
User-Name = "andy-ipad"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 47
Service-Type = Framed-User
State = 0x3011d33a3212c931f791fe04904119c2
Called-Station-Id = "xx.xx.xx.xx[4500]"
Calling-Station-Id = "172.16.2.41[4500]"
NAS-Identifier = "strongSwan"
NAS-Port-Type = Virtual
EAP-Message = 0x020300061a03
Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f
NAS-Port-Id = "con1"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx