Virtual Address Pool in Pre-Shared Keys is not used for ipsec
-
Hello. I was configured VPN according THIS, and i managed to connect.
But when i specified additional IP pool for specific preshared key, it not work. Client still received IP from default pool.
I need to find was to provide specific IP addresses to different VPN clients, and i dont want to use radius. Reading forums it say that this feature should work, but not really. Version of my pfsense is 2.4.4-Release-p3 . Can somebody help? -
+1 on this
-
I have the same thing in windows 10. If I use a strongswan client in my cell phone it works, Right now I am trying a mac to see if i got the same result. I have tested with windows 10 1809 1903 and 1909 with the same bad result.
-
@nohimx I have the same problem. I use macOS Catalina 10.15.1 as VPN client. The ip-adress I get is from the global pool even though I configured one on the pre-shared key for the user.
-
I just solved it on Mac. On the client, in the VPN configuration, for "Local ID" I entered the same email address that I used in the pfsense pre shared key as identifier. Now I get an IP-adress from the pool that I assigned to the pre shared key.
-
I am currently also having this issue on windows server 2016. The vpn connection will not connect if you turn off Virtual Address Pool under Mobile Clients and set one for a user under Pre-Shared Keys it will not connect. When you do enable the Virtual Address Pool under Mobile Clients then the vpn will connect but will ignore the virtual address put under the connecting Pre-Shared Key user.
-
@mlevy823 Windows Rasman use ip address instead of IKE local ID. There is no ´solution today for this problem. I use Strongswan client as a work around.
-
There are any solutions about this problem?
Or what client for IKEv2 ipsec connection may I use under Windows? -
@es9465 said in Virtual Address Pool in Pre-Shared Keys is not used for ipsec:
There are any solutions about this problem?
Or what client for IKEv2 ipsec connection may I use under Windows?It is primarily a client problem. The client is not using a identifier in Phase 1 that the IPsec daemon on pfSense can associate with a given client. For example it may be using its own IP address instead of the EAP username.
See https://redmine.pfsense.org/issues/12549 for some more info as well.
I've tried working around it a few different ways but haven't hit anything reliable so far.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp Hi Jimp
This is really turning into major issue for me and my pfSense customers. The fact that you cannot assign Windows VPN clients different IP pools based on a radius return - or even the preshared-key assigned pool - is essentially making pfSense Mobile Ipsec worthless as all clients are treated equal.
yes i know, return a framed-IP with radius, but that does not scale at all.
This is the single most problematic issue I have with pfSense - its such a sweet idea to use the built-in VPN client in operating systems. But not with pfSense if you need different access rights for users :-(
Any chance that any of the feature requests for this ever gets bumped into production? It’s been 10 years now….
-
It works right now if the client sends the correct identifier in P1, but the problem is that Windows doesn't. Other clients like those on Linux or the strongSwan app send the correct ID and can use per-user addresses right now.
There is a patch in the Redmine issue linked above that has shown promise with Windows clients but isn't a complete solution.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp said in Virtual Address Pool in Pre-Shared Keys is not used for ipsec:
It works right now if the client sends the correct identifier in P1, but the problem is that Windows doesn't. Other clients like those on Linux or the strongSwan app send the correct ID and can use per-user addresses right now.
There is a patch in the Redmine issue linked above that has shown promise with Windows clients but isn't a complete solution.
Jimp, if you could get that patch to work - and thereby enable windows native clients to use PSK defined pool addresses - would be REALLY nice!!
Any chance you could spend a little time to get the IPSec Daemon to accept a virtual address pool returned from Radius in a EAP-Radius setup? That would be the ultimate solution to get pfSense IPSec VPN go Enterprise. Right now its useless because it doesn’t scale and you cant separate user rights with firewall rules.
-
L lifeboy referenced this topic on
