IPSEC widget "empty" - freeradius assigned client ip

three

Hi,

I have a working IPSec IKEv2 setup for my mobile devices with radius authorization and ip address assignment via radius user profile.

To secure static IP assignment for vpn clients, I had to leave "Mobile Clients" / "Virtual Address Pool" empty. Otherwise IP addresses are assigned from that pool and radius user profile ip addresses are ignored.

The consequence is that the IPSec widget becomes useless. Although "Status / IPSec" provides all information about existing connections, the widget itself shows no entries in Overview and Tunnel section as well as a note "No mobile tunnels have been configured" in the Mobile section.

Anything I could do change this? Or is it a known limitation of the widget? Or ... is there anything I could do to make radius user profile client IP assignment work even though a Virtual Address Pool is assigned?

BTW: Running everything on latest stable release.

/t

NogBadTheBad

Works from the Status -> IPsec -> Overview page just not the main page IPsec widget, guess your using Framed-IP addresses in Freeradius ?

three

Correct @NogBadTheBad

Konstanti

@three
All these connections can be seen in the tab
/Status/IPsec/SPDs

192.168.200.150	0.0.0.0/0	◄ Inbound	ESP	31.173.82.70 -> 79.XX.XXX.XXX
0.0.0.0/0	192.168.200.150	► Outbound	ESP	79.XX.XXX.XXX -> 31.173.82.70

three

Correct ... I was just wondering why they do not pop up in the standard IPSec widget and whether there is anything I can do to let them pop up there as well.

It just nice to have it right in front of me w/o further digging into the system :)

NogBadTheBad

Looking at the widget code src it gets the info from the mobile pool.

https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/widgets/widgets/ipsec.widget.php

three

Thanks @NogBadTheBad .. that clarifies my options

The code looks like an original Chinese Menu Card to me

Konstanti

@three
To get a list of leased ip addresses PF uses the command
ipsec leases
If you use Radius to get an ip address, this command will not show anything.

[2.4.4-RELEASE][admin@ru.m.org]/root: ipsec leases
no pools found
[2.4.4-RELEASE][admin@ru.m.org]/root: 

and if you use the standard settings, then

root@fr:/usr/home/konstanti # ipsec leases
Leases in pool '192.168.151.0/24', usage: 2/254, 0 online
    192.168.151.2   offline   'macbookpro2015.m.org'
    192.168.151.1   online   'sony_xperia.m.org'
root@fr:/usr/home/konstanti # 

jimp

There is a chance this may behave better on 2.5.0 since it's been converted to the new swanctl format for IPsec config. Though since it defers to RADIUS it still might not keep records in that location for that type of setup.