Assigning fixed IP addresses to IKEv2 Clients


  • Galactic Empire

    Is it possible to assign a fixed IP address to the IKEv2 clients ?

    Trying to allow two things :-

    1. Myself full access to everything.

    2. Friends internet access only.

    Also P1 Protocol = AES (256 bits) P1 Transforms = SHA256 P2 Protocol = ESP P2 Transforms = AES (auto) P2 Auth Methods = SHA256, SHA384, SHA512 seems to work fine with IOS10 & OSX 10.12.4.

    I've also got DH key group 14 set.


  • Rebel Alliance Developer Netgate

    At the moment it is not possible using our GUI.

    It can be done in some cases with EAP-RADIUS with Framed-IP-Address replies, but it requires assigning a static address to every client not just certain ones.



  • @jimp:

    At the moment it is not possible using our GUI.

    It can be done in some cases with EAP-RADIUS with Framed-IP-Address replies, but it requires assigning a static address to every client not just certain ones.

    I'm fiddling with freeradius2 within pfsense and IKEv2 too to achieve same results.

    Any guide on this method could be referred to?

    Cheers!



  • Looks like there are some clue here https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp

    But if I put %radius in stead of IP address in "Virtual Address Pool" column in pfsense, I will get "A valid IP address for 'Virtual Address Pool Network' must be specified." error.
    Am I on the wrong track or something else???



  • From the link I posted, the %radius can be used since strongswan version 5.0.3, and if we are using pfsense 2.3.4, currently pkg info strongswan will show it's strongswan-5.5.1_1.
    So seems it should support %radius.

    Probably it's just not implemented within pfsense UI?
    Or I looked in the wrong page?


  • Rebel Alliance Developer Netgate

    If you leave the address pool box empty, our code puts %radius in the strongSwan config when it's set to EAP-RADIUS.



  • @jimp:

    If you leave the address pool box empty, our code puts %radius in the strongSwan config when it's set to EAP-RADIUS.

    Yep, just discovered it.
    Now the interesting part is, if I set "Authentication Method" to EAP-RADIUS in IPSec, I can't connect to vpn, if EAP-MSChapv2 but still using RADIUS to authenticate, I can connect to VPN.

    :o :o :o


  • Galactic Empire

    Did anyone ever get this working, im using Radius now but cant seem to tie in a user with an IP address, if I connect using andy-iphone im getting 172.16.9.1 as an IP address rather than 172.16.9.2

    "andy-ipad" Cleartext-Password := "password-goes-here"

    Framed-IP-Address = 172.16.9.1,
    Framed-IP-Netmask = 255.255.255.0

    "andy-iphone" Cleartext-Password := "password-goes-here"

    Framed-IP-Address = 172.16.9.2,
    Framed-IP-Netmask = 255.255.255.0

    Ah been playing a bit more and it looks like I need to untick Provide a virtual IP address to clients and set up the gateway in Radius :)



  • @NogBadTheBad:

    Did anyone ever get this working, im using Radius now but cant seem to tie in a user with an IP address, if I connect using andy-iphone im getting 172.16.9.1 as an IP address rather than 172.16.9.2

    "andy-ipad" Cleartext-Password := "password-goes-here"

    Framed-IP-Address = 172.16.9.1,
    Framed-IP-Netmask = 255.255.255.0

    "andy-iphone" Cleartext-Password := "password-goes-here"

    Framed-IP-Address = 172.16.9.2,
    Framed-IP-Netmask = 255.255.255.0

    Ah been playing a bit more and it looks like I need to untick Provide a virtual IP address to clients and set up the gateway in Radius :)

    Good to hear you got it!

    Here's the guide link which I created, hopefully it can help more ppl in future.  ;)


  • Galactic Empire

    Yea working a treat thanks dude.

    I was missing the static routes and the Framed-Route = "0.0.0.0/0 172.16.0.1 1"

    I've split my 172.16.9.0/24 into 2 /25s blocks the first /25 has full access everywhere the second /25 internet only.


Log in to reply