[Feature/Extension] Road warrior subnet per EAP-identity

  • Hey guys and girls,

    I had to solve a situation, where multiple road warriors should receive different IP(-subnets). Using pfSense 2.4.2p1 is not able to do this via GUI. I did it quick n dirty:

    IKEv2 with EAP-MSChapv2 (working in default pfSense without modifications) = pfSense LAN = pfSense WAN
    "mobile Clients" is the only Phase 1
    only one Phase 2 with

    default (created by gui)

    config setup
            uniqueids = yes
    conn bypasslan
            leftsubnet =
            rightsubnet =
            authby = never
            type = passthrough
            auto = route
    conn con1
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = none
            auto = add
            left =
            right = %any
            leftid = fqdn:vpn.domain.de
            ikelifetime = 10800s
            lifetime = 3600s
            ike = aes256-sha512-modp4096!
            esp = aes256-sha512-modp4096!
            leftsubnet =
            rightsourceip =

    just adding this into /etc/inc/vpn.inc (to overwrite pfSense generated file)

    conn road-1
            rightsourceip =
            rightid = "user-1@domain.de"
    conn road-2
            rightsourceip =
            rightid = "user-2@domain.de"

    how is it working?
    every road warrior not specified in ipsec.conf will receive an IP in
    every seperated listed road warrior will receive an IP in the specified subnet

    you also could assign one unique IP per entry (

    Different identities (subnets / IP's) for different firewall rules  ;)

    I had no time for modifiying the GUI… everything is hardcoded in /etc/inc/vpn.inc. If someone has some time to integrate this…?

    you can enhance my quick'n'dirty mod by using leftsubnet in those conn- extensions. so you can have more control over IPsec connections in general and not just by firewall rules.

  • So here is the "mod" in /etc/inc/vpn.inc

    1387                         } else {
    1388                                 if (isset($ph1ent['mobile'])) {
    1389                                         $ipsecfin = "\nconn con-mobile\n";
    1390                                 }
    1391                                 else {
    1392                                         $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
    1393                                 }
    1394                                 //if (!empty($reqids[$idx])) {
    1395                                 //      $ipsecfin .= "\treqid = " . $reqids[0] . "\n";
    1396                                 //}
    1397                                 $ipsecfin .= $ipsecconnect;
    1398                                 if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
    1399                                         $tempsubnets = array();
    1400                                         foreach ($rightsubnet_spec as $rightsubnet) {
    1401                                                 $tempsubnets[$rightsubnet] = $rightsubnet;
    1402                                         }
    1403                                         $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
    1404                                         unset($tempsubnets, $rightsubnet);
    1405                                 }
    1406                                 if (!empty($leftsubnet_spec)) {
    1407                                         $tempsubnets = array();
    1408                                         foreach ($leftsubnet_spec as $leftsubnet) {
    1409                                                 $tempsubnets[$leftsubnet] = $leftsubnet;
    1410                                         }
    1411                                         $ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n";
    1412                                         unset($tempsubnets, $leftsubnet);
    1413                                 }
    1414                                 if (isset($ph1ent['mobile'])) {
    1415                                         $ipsecfin .= "\n";
    1416                                         $ipsecfin .= "conn mobile-1\n";
    1417                                         $ipsecfin .= "\talso = con-mobile\n";
    1418                                         $ipsecfin .= "\teap_identity = %identity\n";
    1419                                         $ipsecfin .= "\trightsourceip =\n";
    1420                                         $ipsecfin .= "\trightid = email:user-1@domain.de\n";
    1422                                         $ipsecfin .= "\n";
    1423                                         $ipsecfin .= "conn mobile-2\n";
    1424                                         $ipsecfin .= "\talso = con-mobile\n";
    1425                                         $ipsecfin .= "\teap_identity = %identity\n";
    1426                                         $ipsecfin .= "\trightsourceip =\n";
    1427                                         $ipsecfin .= "\trightid = email:user-2@domain.de\n";
    1428                                         $ipsecfin .= "\tleftsubnet =\n";
    1430                                         $ipsecfin .= "\n";
    1431                                         $ipsecfin .= "conn mobile-3\n";
    1432                                         $ipsecfin .= "\talso = con-mobile\n";
    1433                                         $ipsecfin .= "\teap_identity = %identity\n";
    1434                                         $ipsecfin .= "\trightsourceip =\n";
    1435                                         $ipsecfin .= "\trightid = email:user-3@other-domain.de\n";
    1436                                 }
    1437                         }
    1438                         $ipsecconf .= $ipsecfin;
    1439                         unset($ipsecfin);

    lines changed
    1388 - 1393
    1414 - 1436

    mobile Users in con-mobile (defaults to con1, standard configuration via GUI) are assigned a blocked IP (no firewall rule or blocked) address eg.

    it's not as comfortable as via the GUI, but I now have full control of which user can access specific resources - both, firewall and routing.
    Of course, you need the firewall rules in IPsec tab.

  • Galactic Empire

    Or you could have used FreeRADIUS to assign individual IP addresses to each user.

  • @NogBadTheBad:

    Or you could have used FreeRADIUS to assign individual IP addresses to each user.

    A customer of mine has only 3 permanent mobile users and 1 for remote assistance (some special devices). He needs to seperate them in different subnets. Adding an extra instance like RADIUS would be overkill.

    Why not using the builtin function? IPsec daemon can handle this with few extra lines (yes, of course. pfSense itself needs more lines to be extended). I think it should be worth to think about it and perhaps include it in pfSense.

    I have to say, that I haven't used RADIUS till now. But what I read is, that it uses certificates which would also have to be rolled out (CA) in some scenarios. I know how to manage certificates, but less hassle with client machines makes the customer more happy ;)

  • Galactic Empire

    You can frame the IP address thats handed out to the client and base your IPsec firewall rules on the Framed-IP-Address.

    "andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020"

    Framed-IP-Address =,
    Framed-IP-Netmask =,
    Framed-Route = " 1"

    I'm always reluctant to tell people to tweak config files using a text editor  :)

    Does /etc/inc/vpn.inc get over written with each update ?

  • The only reason why I edit vpn.inc is because I had no time to extend the GUI.  ;)
    The goal was not to use any directory/RADIUS for this. I was reading the strongswan configuration possibilities and found what I was writing.

    Ifs someone has some free time to extend the GUI with this basic strongswan feature, more people could benefit by this. For now, I have no clue how to add it to the GUI. It's not the lack of knowledge, it's the lack of having an idea how to make it easy usable… should I extend the Phase 1 form or the Pre-shared Key section?!

  • Hey guys,

    I would like to use this feature as I want to create different firewall rules for different mobile ipsec users.
    I have a working IPsec IKEv2 with EAP-MSChapv2, only one phase 2 with

    When I'm providing a virtual address pool in the mobile clients tab the user always gets an ip from that subnet ( and not the one specified in the EAP Identity PSK tab (
    When deleting the address pool in the mobile clients tab connecting fails with:

    Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
    Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> no virtual IP found for %any6 requested by '***@***.de'
    Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> peer requested virtual IP %any6
    Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> no virtual IP found for %any requested by '***@***.de'
    Apr 10 14:01:03 	charon 		05[IKE] <con-mobile|1> peer requested virtual IP %any 

    Do I need to set a specific DNS server to get this working or what am I doing wrong here?

    Thanks for any advice!

  • Hi @posto587,

    do you have a solution for your problem? I am facing exactly the same problem.


  • Galactic Empire

    Use freeradius and assign framed ip addresses.

  • @NogBadTheBad thanks for the advice, but is free radius necessary? Isn't the idea of the change (from @Hobby-Student) to be able to assign specific IPs (or ranges) directly to given EAP identities?

  • @alhh No sorry, not found a solution yet. I'm pretty sure it will work with freeradius, but would be easier to do it directly on the EAP identities without the need to install a freeradius server.

  • In case the change is not working, do we need to add an another change or bug request somewhere? Because the idea and feature is quite useful.

Log in to reply