[Feature/Extension] Road warrior subnet per EAP-identity



  • Hey guys and girls,

    I had to solve a situation, where multiple road warriors should receive different IP(-subnets). Using pfSense 2.4.2p1 is not able to do this via GUI. I did it quick n dirty:

    pre-information
    IKEv2 with EAP-MSChapv2 (working in default pfSense without modifications)
    1.1.1.0/24 = pfSense LAN
    2.2.2.254 = pfSense WAN
    "mobile Clients" is the only Phase 1
    only one Phase 2 with 0.0.0.0/0

    default (created by gui)

    
    config setup
            uniqueids = yes
    
    conn bypasslan
            leftsubnet = 1.1.1.0/24
            rightsubnet = 1.1.1.0/24
            authby = never
            type = passthrough
            auto = route
    
    conn con1
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
    
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = none
            auto = add
            left = 2.2.2.254
            right = %any
            leftid = fqdn:vpn.domain.de
            ikelifetime = 10800s
            lifetime = 3600s
            ike = aes256-sha512-modp4096!
            esp = aes256-sha512-modp4096!
            leftauth=pubkey
            rightauth=eap-mschapv2
            leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
            leftsendcert=always
            leftsubnet = 0.0.0.0/0
            eap_identity=%any
            rightsourceip = 3.3.3.0/24
    
    

    just adding this into /etc/inc/vpn.inc (to overwrite pfSense generated file)

    
    conn road-1
            also=con1
            eap_identity=%identity
            rightsourceip = 4.4.4.0/24
            rightid = "user-1@domain.de"
    
    conn road-2
            also=con1
            eap_identity=%identity
            rightsourceip = 5.5.5.0/24
            rightid = "user-2@domain.de"
    
    

    how is it working?
    every road warrior not specified in ipsec.conf will receive an IP in 3.3.3.0/24
    every seperated listed road warrior will receive an IP in the specified subnet

    you also could assign one unique IP per entry (6.6.6.1/32)

    Why?
    Different identities (subnets / IP's) for different firewall rules  ;)

    I had no time for modifiying the GUI… everything is hardcoded in /etc/inc/vpn.inc. If someone has some time to integrate this…?

    EDIT
    you can enhance my quick'n'dirty mod by using leftsubnet in those conn- extensions. so you can have more control over IPsec connections in general and not just by firewall rules.



  • So here is the "mod" in /etc/inc/vpn.inc

    
    1387                         } else {
    1388                                 if (isset($ph1ent['mobile'])) {
    1389                                         $ipsecfin = "\nconn con-mobile\n";
    1390                                 }
    1391                                 else {
    1392                                         $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
    1393                                 }
    1394                                 //if (!empty($reqids[$idx])) {
    1395                                 //      $ipsecfin .= "\treqid = " . $reqids[0] . "\n";
    1396                                 //}
    1397                                 $ipsecfin .= $ipsecconnect;
    1398                                 if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
    1399                                         $tempsubnets = array();
    1400                                         foreach ($rightsubnet_spec as $rightsubnet) {
    1401                                                 $tempsubnets[$rightsubnet] = $rightsubnet;
    1402                                         }
    1403                                         $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
    1404                                         unset($tempsubnets, $rightsubnet);
    1405                                 }
    1406                                 if (!empty($leftsubnet_spec)) {
    1407                                         $tempsubnets = array();
    1408                                         foreach ($leftsubnet_spec as $leftsubnet) {
    1409                                                 $tempsubnets[$leftsubnet] = $leftsubnet;
    1410                                         }
    1411                                         $ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n";
    1412                                         unset($tempsubnets, $leftsubnet);
    1413                                 }
    1414                                 if (isset($ph1ent['mobile'])) {
    1415                                         $ipsecfin .= "\n";
    1416                                         $ipsecfin .= "conn mobile-1\n";
    1417                                         $ipsecfin .= "\talso = con-mobile\n";
    1418                                         $ipsecfin .= "\teap_identity = %identity\n";
    1419                                         $ipsecfin .= "\trightsourceip = 1.1.1.0/24\n";
    1420                                         $ipsecfin .= "\trightid = email:user-1@domain.de\n";
    1421
    1422                                         $ipsecfin .= "\n";
    1423                                         $ipsecfin .= "conn mobile-2\n";
    1424                                         $ipsecfin .= "\talso = con-mobile\n";
    1425                                         $ipsecfin .= "\teap_identity = %identity\n";
    1426                                         $ipsecfin .= "\trightsourceip = 2.2.2.2/32\n";
    1427                                         $ipsecfin .= "\trightid = email:user-2@domain.de\n";
    1428                                         $ipsecfin .= "\tleftsubnet = 10.10.10.0/24\n";
    1429
    1430                                         $ipsecfin .= "\n";
    1431                                         $ipsecfin .= "conn mobile-3\n";
    1432                                         $ipsecfin .= "\talso = con-mobile\n";
    1433                                         $ipsecfin .= "\teap_identity = %identity\n";
    1434                                         $ipsecfin .= "\trightsourceip = 1.1.1.0/24\n";
    1435                                         $ipsecfin .= "\trightid = email:user-3@other-domain.de\n";
    1436                                 }
    1437                         }
    1438                         $ipsecconf .= $ipsecfin;
    1439                         unset($ipsecfin);
    
    

    lines changed
    1388 - 1393
    1414 - 1436

    mobile Users in con-mobile (defaults to con1, standard configuration via GUI) are assigned a blocked IP (no firewall rule or blocked) address eg. 192.168.1.0/24

    it's not as comfortable as via the GUI, but I now have full control of which user can access specific resources - both, firewall and routing.
    Of course, you need the firewall rules in IPsec tab.


  • Galactic Empire

    Or you could have used FreeRADIUS to assign individual IP addresses to each user.



  • @NogBadTheBad:

    Or you could have used FreeRADIUS to assign individual IP addresses to each user.

    A customer of mine has only 3 permanent mobile users and 1 for remote assistance (some special devices). He needs to seperate them in different subnets. Adding an extra instance like RADIUS would be overkill.

    Why not using the builtin function? IPsec daemon can handle this with few extra lines (yes, of course. pfSense itself needs more lines to be extended). I think it should be worth to think about it and perhaps include it in pfSense.

    I have to say, that I haven't used RADIUS till now. But what I read is, that it uses certificates which would also have to be rolled out (CA) in some scenarios. I know how to manage certificates, but less hassle with client machines makes the customer more happy ;)


  • Galactic Empire

    You can frame the IP address thats handed out to the client and base your IPsec firewall rules on the Framed-IP-Address.

    "andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020"

    Framed-IP-Address = 172.16.9.1,
    Framed-IP-Netmask = 255.255.255.0,
    Framed-Route = "0.0.0.0/0 172.16.0.1 1"

    I'm always reluctant to tell people to tweak config files using a text editor  :)

    Does /etc/inc/vpn.inc get over written with each update ?



  • The only reason why I edit vpn.inc is because I had no time to extend the GUI.  ;)
    The goal was not to use any directory/RADIUS for this. I was reading the strongswan configuration possibilities and found what I was writing.

    Ifs someone has some free time to extend the GUI with this basic strongswan feature, more people could benefit by this. For now, I have no clue how to add it to the GUI. It's not the lack of knowledge, it's the lack of having an idea how to make it easy usable… should I extend the Phase 1 form or the Pre-shared Key section?!




 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy