IPSEC widget "empty" - freeradius assigned client ip
-
Hi,
I have a working IPSec IKEv2 setup for my mobile devices with radius authorization and ip address assignment via radius user profile.
To secure static IP assignment for vpn clients, I had to leave "Mobile Clients" / "Virtual Address Pool" empty. Otherwise IP addresses are assigned from that pool and radius user profile ip addresses are ignored.
The consequence is that the IPSec widget becomes useless. Although "Status / IPSec" provides all information about existing connections, the widget itself shows no entries in Overview and Tunnel section as well as a note "No mobile tunnels have been configured" in the Mobile section.
Anything I could do change this? Or is it a known limitation of the widget? Or ... is there anything I could do to make radius user profile client IP assignment work even though a Virtual Address Pool is assigned?
BTW: Running everything on latest stable release.
/t
-
Works from the Status -> IPsec -> Overview page just not the main page IPsec widget, guess your using Framed-IP addresses in Freeradius ?
-
Correct @NogBadTheBad
-
@three
All these connections can be seen in the tab
/Status/IPsec/SPDs192.168.200.150 0.0.0.0/0 ◄ Inbound ESP 31.173.82.70 -> 79.XX.XXX.XXX 0.0.0.0/0 192.168.200.150 ► Outbound ESP 79.XX.XXX.XXX -> 31.173.82.70
-
Correct ... I was just wondering why they do not pop up in the standard IPSec widget and whether there is anything I can do to let them pop up there as well.
It just nice to have it right in front of me w/o further digging into the system :)
-
Looking at the widget code src it gets the info from the mobile pool.
https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/widgets/widgets/ipsec.widget.php
-
Thanks @NogBadTheBad .. that clarifies my options
The code looks like an original Chinese Menu Card to me
-
@three
To get a list of leased ip addresses PF uses the command
ipsec leases
If you use Radius to get an ip address, this command will not show anything.[2.4.4-RELEASE][admin@ru.m.org]/root: ipsec leases no pools found [2.4.4-RELEASE][admin@ru.m.org]/root:
and if you use the standard settings, then
root@fr:/usr/home/konstanti # ipsec leases Leases in pool '192.168.151.0/24', usage: 2/254, 0 online 192.168.151.2 offline 'macbookpro2015.m.org' 192.168.151.1 online 'sony_xperia.m.org' root@fr:/usr/home/konstanti #
-
There is a chance this may behave better on 2.5.0 since it's been converted to the new
swanctl
format for IPsec config. Though since it defers to RADIUS it still might not keep records in that location for that type of setup.