Mobile IPSEC Radius IP Assigment
-
Hi
i patched my/etc/inc/ipsec.incthat if in Phase1 Auth. method is EAP-RADIUS and in Mobile clients setting virtual address pool is not checked add ```
rightsourceip=%radiusFor me it works now with a Android + strongSwan APP (IKEv2 EAP) and it gets the ip from freeradius best regards [vpn.inc.zip](/public/_imported_attachments_/1/vpn.inc.zip) -
Can you post that as a text diff, rather than a .zip? I'd like to try it but I'd rather not replace the entire file.
-
This is an interesting patch - I would also be interested in the diff!
-
gets the ip from freeradius
While I'm thinking about it - with this patch, are you defining IP addresses for already existing (on pfSense) networks? Only reason I ask is that you are turning off the virtual network option.
-
Hi,
sorry for the delay, here is the Patch for IP getting from the radius and no they are not already existing networks on the pfsense. It only that the radius server submit the ip .
I also have a second Patch same like first patch + change from IKEv2 EAP to IKV2 Certificate +EAP just add rightauth2 and change a little bit for the generate of```
/var/etc/ipsec/ipsec.confI havn't changed the selectable name on the Gui, maybe it is better to add another option ? (better someone who is already knowing how this stuff works can do this ) With both patches the IPSec tunnel is working with IPSec Freeswan on Android very well. For security reason i like certs also on client 8) Oh sorry i forgott to say: you have to unset **virtual address pool** for the static ip from radius (Don't forget to set a user ip on the radiusserver!) BR markus [vpn.inc.patch.zip](/public/_imported_attachments_/1/vpn.inc.patch.zip) [vpn.inc.patch2.zip](/public/_imported_attachments_/1/vpn.inc.patch2.zip) -
The second thing would definitely needs its own, separate GUI choice since it isn't compatible with the current eap-radius selection.
The IP address pulling bit works OK, though I was disappointed to find that it doesn't look like strongSwan has a way to fall back to a local pool if there is no IP address in RADIUS. There is a way to specify multiple items in rightsourceip but it ends up using both at all times, not one then the other. For example if I use "%radius,x.x.x.0/24" it gives an address to the user from both RADIUS and the local pool.
I committed a variation of the IP address part here:
https://github.com/pfsense/pfsense/commit/86330e2b9ba85930a15a2cbd5ef7e7c3d0b3f814The only negative side effect is that it would not allow someone to configure eap-radius and omit the pool entirely (hardcode IP addresses on the client) – I can't imagine anyone wanting to do that, but maybe someone does. Might still need a GUI checkbox.
-
Sorry for the slow reply - running this patch on my home box and it works brilliantly, so thanks!
Out of interest, is this something that is likely to end up in the release, further down the road?
-
It's already in for 2.2.5 so it will be in a release shortly.
-
Great stuff! :D
-
Hi
I managed to make it also work with Mutual RSA and Xauth. Strongswan has support for xauth-radius
replace line
$rightsourceip = "\trightsourceip = {$a_client['pool_address']}/{$a_client['pool_netbits']}\n";with
$rightsourceip = "\trightsourceip = %radius\n";and
$authentication .= "\n\trightauth2 = xauth-generic";with
$authentication .= "\n\trightauth2 = xauth-radius";
