[Feature/Extension] Road warrior subnet per EAP-identity
-
Hey guys and girls,
I had to solve a situation, where multiple road warriors should receive different IP(-subnets). Using pfSense 2.4.2p1 is not able to do this via GUI. I did it quick n dirty:
pre-information
IKEv2 with EAP-MSChapv2 (working in default pfSense without modifications)
1.1.1.0/24 = pfSense LAN
2.2.2.254 = pfSense WAN
"mobile Clients" is the only Phase 1
only one Phase 2 with 0.0.0.0/0default (created by gui)
config setup uniqueids = yes conn bypasslan leftsubnet = 1.1.1.0/24 rightsubnet = 1.1.1.0/24 authby = never type = passthrough auto = route conn con1 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = none auto = add left = 2.2.2.254 right = %any leftid = fqdn:vpn.domain.de ikelifetime = 10800s lifetime = 3600s ike = aes256-sha512-modp4096! esp = aes256-sha512-modp4096! leftauth=pubkey rightauth=eap-mschapv2 leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt leftsendcert=always leftsubnet = 0.0.0.0/0 eap_identity=%any rightsourceip = 3.3.3.0/24
just adding this into /etc/inc/vpn.inc (to overwrite pfSense generated file)
conn road-1 also=con1 eap_identity=%identity rightsourceip = 4.4.4.0/24 rightid = "user-1@domain.de" conn road-2 also=con1 eap_identity=%identity rightsourceip = 5.5.5.0/24 rightid = "user-2@domain.de"
how is it working?
every road warrior not specified in ipsec.conf will receive an IP in 3.3.3.0/24
every seperated listed road warrior will receive an IP in the specified subnetyou also could assign one unique IP per entry (6.6.6.1/32)
Why?
Different identities (subnets / IP's) for different firewall rules ;)I had no time for modifiying the GUI… everything is hardcoded in /etc/inc/vpn.inc. If someone has some time to integrate this…?
EDIT
you can enhance my quick'n'dirty mod by using leftsubnet in those conn- extensions. so you can have more control over IPsec connections in general and not just by firewall rules. -
So here is the "mod" in /etc/inc/vpn.inc
1387 } else { 1388 if (isset($ph1ent['mobile'])) { 1389 $ipsecfin = "\nconn con-mobile\n"; 1390 } 1391 else { 1392 $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n"; 1393 } 1394 //if (!empty($reqids[$idx])) { 1395 // $ipsecfin .= "\treqid = " . $reqids[0] . "\n"; 1396 //} 1397 $ipsecfin .= $ipsecconnect; 1398 if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) { 1399 $tempsubnets = array(); 1400 foreach ($rightsubnet_spec as $rightsubnet) { 1401 $tempsubnets[$rightsubnet] = $rightsubnet; 1402 } 1403 $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n"; 1404 unset($tempsubnets, $rightsubnet); 1405 } 1406 if (!empty($leftsubnet_spec)) { 1407 $tempsubnets = array(); 1408 foreach ($leftsubnet_spec as $leftsubnet) { 1409 $tempsubnets[$leftsubnet] = $leftsubnet; 1410 } 1411 $ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n"; 1412 unset($tempsubnets, $leftsubnet); 1413 } 1414 if (isset($ph1ent['mobile'])) { 1415 $ipsecfin .= "\n"; 1416 $ipsecfin .= "conn mobile-1\n"; 1417 $ipsecfin .= "\talso = con-mobile\n"; 1418 $ipsecfin .= "\teap_identity = %identity\n"; 1419 $ipsecfin .= "\trightsourceip = 1.1.1.0/24\n"; 1420 $ipsecfin .= "\trightid = email:user-1@domain.de\n"; 1421 1422 $ipsecfin .= "\n"; 1423 $ipsecfin .= "conn mobile-2\n"; 1424 $ipsecfin .= "\talso = con-mobile\n"; 1425 $ipsecfin .= "\teap_identity = %identity\n"; 1426 $ipsecfin .= "\trightsourceip = 2.2.2.2/32\n"; 1427 $ipsecfin .= "\trightid = email:user-2@domain.de\n"; 1428 $ipsecfin .= "\tleftsubnet = 10.10.10.0/24\n"; 1429 1430 $ipsecfin .= "\n"; 1431 $ipsecfin .= "conn mobile-3\n"; 1432 $ipsecfin .= "\talso = con-mobile\n"; 1433 $ipsecfin .= "\teap_identity = %identity\n"; 1434 $ipsecfin .= "\trightsourceip = 1.1.1.0/24\n"; 1435 $ipsecfin .= "\trightid = email:user-3@other-domain.de\n"; 1436 } 1437 } 1438 $ipsecconf .= $ipsecfin; 1439 unset($ipsecfin);
lines changed
1388 - 1393
1414 - 1436mobile Users in con-mobile (defaults to con1, standard configuration via GUI) are assigned a blocked IP (no firewall rule or blocked) address eg. 192.168.1.0/24
it's not as comfortable as via the GUI, but I now have full control of which user can access specific resources - both, firewall and routing.
Of course, you need the firewall rules in IPsec tab. -
Or you could have used FreeRADIUS to assign individual IP addresses to each user.
-
Or you could have used FreeRADIUS to assign individual IP addresses to each user.
A customer of mine has only 3 permanent mobile users and 1 for remote assistance (some special devices). He needs to seperate them in different subnets. Adding an extra instance like RADIUS would be overkill.
Why not using the builtin function? IPsec daemon can handle this with few extra lines (yes, of course. pfSense itself needs more lines to be extended). I think it should be worth to think about it and perhaps include it in pfSense.
I have to say, that I haven't used RADIUS till now. But what I read is, that it uses certificates which would also have to be rolled out (CA) in some scenarios. I know how to manage certificates, but less hassle with client machines makes the customer more happy ;)
-
You can frame the IP address thats handed out to the client and base your IPsec firewall rules on the Framed-IP-Address.
"andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020"
Framed-IP-Address = 172.16.9.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Route = "0.0.0.0/0 172.16.0.1 1"I'm always reluctant to tell people to tweak config files using a text editor :)
Does /etc/inc/vpn.inc get over written with each update ?
-
The only reason why I edit vpn.inc is because I had no time to extend the GUI. ;)
The goal was not to use any directory/RADIUS for this. I was reading the strongswan configuration possibilities and found what I was writing.Ifs someone has some free time to extend the GUI with this basic strongswan feature, more people could benefit by this. For now, I have no clue how to add it to the GUI. It's not the lack of knowledge, it's the lack of having an idea how to make it easy usable… should I extend the Phase 1 form or the Pre-shared Key section?!
-
see redmine https://redmine.pfsense.org/issues/8292
and github https://github.com/pfsense/pfsense/pull/3904 -
Hey guys,
I would like to use this feature as I want to create different firewall rules for different mobile ipsec users.
I have a working IPsec IKEv2 with EAP-MSChapv2, only one phase 2 with 0.0.0.0/0When I'm providing a virtual address pool in the mobile clients tab the user always gets an ip from that subnet (192.168.200.1/24) and not the one specified in the EAP Identity PSK tab (192.168.201.1/24).
When deleting the address pool in the mobile clients tab connecting fails with:Apr 10 14:01:03 charon 05[IKE] <con-mobile|1> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Apr 10 14:01:03 charon 05[IKE] <con-mobile|1> no virtual IP found for %any6 requested by '***@***.de' Apr 10 14:01:03 charon 05[IKE] <con-mobile|1> peer requested virtual IP %any6 Apr 10 14:01:03 charon 05[IKE] <con-mobile|1> no virtual IP found for %any requested by '***@***.de' Apr 10 14:01:03 charon 05[IKE] <con-mobile|1> peer requested virtual IP %any
Do I need to set a specific DNS server to get this working or what am I doing wrong here?
Thanks for any advice!
-
Hi @posto587,
do you have a solution for your problem? I am facing exactly the same problem.
Greetings,
Andreas -
Use freeradius and assign framed ip addresses.
-
@NogBadTheBad thanks for the advice, but is free radius necessary? Isn't the idea of the change (from @Hobby-Student) to be able to assign specific IPs (or ranges) directly to given EAP identities?
-
@alhh No sorry, not found a solution yet. I'm pretty sure it will work with freeradius, but would be easier to do it directly on the EAP identities without the need to install a freeradius server.
-
In case the change is not working, do we need to add an another change or bug request somewhere? Because the idea and feature is quite useful.