Restrict access for certain VPN users?
we have an existing IPSec configuration on pfsense 2.4.4.
Now I got a request from a service engineer which would like to access one certain device in our network via VPN. I don't like the idea that he can see all devices in our network. Is there a possibility to setup firewall rules so that VPN user A does see a different set of devices than VPN user B?
If no, do you have any other hints? Like temporarily enabling the user on request and otherwise have it disabled?
You can configure the user access through the access rules of the interface of IPSEC. These rules will apply to incoming packets on the other side of the tunnel.
In this way , you can configure the firewall so that the service engineer ( IP A) can only access one device (IP B) through a VPN.
This is provided if we are talking about site-to-site configuration. And the service engineer's computer has static ip.
If we are talking about the road warrior, then here you can consider the option of Openvpn. In this case , you can configure the server so that each remote client is assigned a specific ip address . And on this basis it is already possible to build a security policy .
Look at freeradius to hand out fixed ip addresses, you can then have firewall rules based on ip addresses.
There is quite a bit more work to enable this.
Okay, so with default IPSec, there's no chance to hand out fixed IP addresses and therefore no possibility to attach specific access rights?
I'll probably stick to the simple enable-on-request solution then. Thanks!
There is such an opportunity for Road Warriors
What authentication method is used ?
We authenticate via Active Directory. "Pre-Shared Keys" as in your screenshot is empty in our pfsense config.
It doesn't matter
You can fill in this field with any characters, as long as the user ID matches
This creates a config for the user "engineer" and assigns the required ip address
@luas For example
I have authorization configured on the certificates
I tried this, but with no luck.
I used "username" or "email@example.com" as Identifier, entered a Pre-Shared-Key and a specific IP-Adress with mask /32.
But I will still get an address from the default pool.
I also tried to configure a unique PSK for the engineer in the given dialog, but then the tunnel won't come up at all.
Any other idea?
Show me how you filled in these fields
And what is the ID of the engineer ?
If the problem is still relevant, I think I know how to solve it