Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Multiple IPSEC IkeV2 "access levels"

    General pfSense Questions
    2
    4
    431
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gelcom last edited by

      Guys, I have succesfully setup an IKEv2 VPN server on my pfsense box. I use it to connect my Iphone to my local LAN as well as send all internet traffic from my phone through VPN Tunnel so internet traffic goes via pfsense WAN.

      Now, I'd like to go one step further: I'd like to have another Iphone to connect to this VPN but don't allow it to access my LAN, just Internet.

      Is it possible to have 2 different "profiles" to the same IKEv2 Server on pfSense? First phone with access to LAN and Internet in the tunnel and the other client with access to Internet and not the LAN?

      How to accomplish that?

      please point me to the right direction here.

      kind regards

      1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad last edited by

        You can't via IPsec.

        The only way round this is to set up freeradius, get it to do your user auth and hand out specific IP addresses to the IPSec clients :-

        https://forum.pfsense.org/index.php?topic=140639.msg768291#msg768291

        You then need to modify your firewall rules to suit the client on the IPSec tab.

        "andy" Cleartext-Password := "XXXXXXXXXX", Simultaneous-Use := "1", NAS-Identifier == strongSwan

        Framed-IP-Address = 172.16.9.1,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Route = "0.0.0.0/0 172.16.0.1 1"

        The NAS-Identifier == strongSwan stops the user using their details for WPA Enterprise logins.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • G
          gelcom last edited by

          Thanks. It worked perfectly!

          The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.

          Before Radius loginn, IPSEC widget showed active connections based on Virtual IPs provided by IPsec mobile clients. From the point I set up freeRADIUS to set client's IP this information is missing and I have no place to see which users are logged in.
          Am I missing something?

          @NogBadTheBad:

          The NAS-Identifier == strongSwan stops the user using their details for WPA Enterprise logins.

          This is not clear to me. What's the difference with this additional NAS-Identifier==stringSwan?
          BTW, it's NAS-Identifier == strongSwan or NAS-Identifier == "strongSwan"

          kind regards

          1 Reply Last reply Reply Quote 0
          • NogBadTheBad
            NogBadTheBad last edited by

            @gelcom:

            Thanks. It worked perfectly!

            The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.

            This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan

            Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs.

            RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan.

            You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn.

            2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827
            User-Name = "andy"
            NAS-IP-Address = 172.16.1.11
            NAS-Port = 0
            Framed-IP-Address = 172.16.2.41
            Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius"
            Calling-Station-Id = "D0-4F-7E-85-D9-BE"
            NAS-Identifier = "802aa8969d8c"
            NAS-Port-Type = Wireless-802.11
            Acct-Status-Type = Start
            Acct-Session-Id = "5A44C1A4-0000000F"
            Acct-Authentic = RADIUS
            Connect-Info = "CONNECT 0Mbps 802.11b"
            Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

            2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014
            User-Name = "andy-ipad"
            NAS-IP-Address = xx.xx.xx.xx
            NAS-Port = 47
            Service-Type = Framed-User
            State = 0x3011d33a3212c931f791fe04904119c2
            Called-Station-Id = "xx.xx.xx.xx[4500]"
            Calling-Station-Id = "172.16.2.41[4500]"
            NAS-Identifier = "strongSwan"
            NAS-Port-Type = Virtual
            EAP-Message = 0x020300061a03
            Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f
            NAS-Port-Id = "con1"
            Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • First post
              Last post