[Feature/Extension] Road warrior subnet per EAP-identity

Hobby-Student

@NogBadTheBad:

Or you could have used FreeRADIUS to assign individual IP addresses to each user.

A customer of mine has only 3 permanent mobile users and 1 for remote assistance (some special devices). He needs to seperate them in different subnets. Adding an extra instance like RADIUS would be overkill.

Why not using the builtin function? IPsec daemon can handle this with few extra lines (yes, of course. pfSense itself needs more lines to be extended). I think it should be worth to think about it and perhaps include it in pfSense.

I have to say, that I haven't used RADIUS till now. But what I read is, that it uses certificates which would also have to be rolled out (CA) in some scenarios. I know how to manage certificates, but less hassle with client machines makes the customer more happy ;)

NogBadTheBad

You can frame the IP address thats handed out to the client and base your IPsec firewall rules on the Framed-IP-Address.

"andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020"

Framed-IP-Address = 172.16.9.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Route = "0.0.0.0/0 172.16.0.1 1"

I'm always reluctant to tell people to tweak config files using a text editor  :)

Does /etc/inc/vpn.inc get over written with each update ?

Hobby-Student

The only reason why I edit vpn.inc is because I had no time to extend the GUI.  ;)
The goal was not to use any directory/RADIUS for this. I was reading the strongswan configuration possibilities and found what I was writing.

Ifs someone has some free time to extend the GUI with this basic strongswan feature, more people could benefit by this. For now, I have no clue how to add it to the GUI. It's not the lack of knowledge, it's the lack of having an idea how to make it easy usable… should I extend the Phase 1 form or the Pre-shared Key section?!

Hobby-Student

see redmine https://redmine.pfsense.org/issues/8292
and github https://github.com/pfsense/pfsense/pull/3904

posto587

Hey guys,

I would like to use this feature as I want to create different firewall rules for different mobile ipsec users.
I have a working IPsec IKEv2 with EAP-MSChapv2, only one phase 2 with 0.0.0.0/0

When I'm providing a virtual address pool in the mobile clients tab the user always gets an ip from that subnet (192.168.200.1/24) and not the one specified in the EAP Identity PSK tab (192.168.201.1/24).
When deleting the address pool in the mobile clients tab connecting fails with:

Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> no virtual IP found for %any6 requested by '***@***.de'
Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> peer requested virtual IP %any6
Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> no virtual IP found for %any requested by '***@***.de'
Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> peer requested virtual IP %any 

Do I need to set a specific DNS server to get this working or what am I doing wrong here?

Thanks for any advice!

alhh

Hi @posto587,

do you have a solution for your problem? I am facing exactly the same problem.

Greetings,
Andreas

NogBadTheBad

Use freeradius and assign framed ip addresses.

alhh

@NogBadTheBad thanks for the advice, but is free radius necessary? Isn't the idea of the change (from @Hobby-Student) to be able to assign specific IPs (or ranges) directly to given EAP identities?

posto587

@alhh No sorry, not found a solution yet. I'm pretty sure it will work with freeradius, but would be easier to do it directly on the EAP identities without the need to install a freeradius server.

alhh

In case the change is not working, do we need to add an another change or bug request somewhere? Because the idea and feature is quite useful.