IPSEC widget "empty" - freeradius assigned client ip



  • Hi,

    I have a working IPSec IKEv2 setup for my mobile devices with radius authorization and ip address assignment via radius user profile.

    To secure static IP assignment for vpn clients, I had to leave "Mobile Clients" / "Virtual Address Pool" empty. Otherwise IP addresses are assigned from that pool and radius user profile ip addresses are ignored.

    The consequence is that the IPSec widget becomes useless. Although "Status / IPSec" provides all information about existing connections, the widget itself shows no entries in Overview and Tunnel section as well as a note "No mobile tunnels have been configured" in the Mobile section.

    Anything I could do change this? Or is it a known limitation of the widget? Or ... is there anything I could do to make radius user profile client IP assignment work even though a Virtual Address Pool is assigned?

    BTW: Running everything on latest stable release.

    /t



  • Works from the Status -> IPsec -> Overview page just not the main page IPsec widget, guess your using Framed-IP addresses in Freeradius ?



  • Correct @NogBadTheBad



  • @three
    All these connections can be seen in the tab
    /Status/IPsec/SPDs

    192.168.200.150	0.0.0.0/0	◄ Inbound	ESP	31.173.82.70 -> 79.XX.XXX.XXX
    0.0.0.0/0	192.168.200.150	► Outbound	ESP	79.XX.XXX.XXX -> 31.173.82.70
    


  • Correct ... I was just wondering why they do not pop up in the standard IPSec widget and whether there is anything I can do to let them pop up there as well.

    It just nice to have it right in front of me w/o further digging into the system :)



  • Looking at the widget code src it gets the info from the mobile pool.

    https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/widgets/widgets/ipsec.widget.php



  • Thanks @NogBadTheBad .. that clarifies my options ☺

    The code looks like an original Chinese Menu Card to me 🍜



  • @three
    To get a list of leased ip addresses PF uses the command
    ipsec leases
    If you use Radius to get an ip address, this command will not show anything.

    [2.4.4-RELEASE][admin@ru.m.org]/root: ipsec leases
    no pools found
    [2.4.4-RELEASE][admin@ru.m.org]/root: 
    

    and if you use the standard settings, then

    root@fr:/usr/home/konstanti # ipsec leases
    Leases in pool '192.168.151.0/24', usage: 2/254, 0 online
        192.168.151.2   offline   'macbookpro2015.m.org'
        192.168.151.1   online   'sony_xperia.m.org'
    root@fr:/usr/home/konstanti # 
    
    

  • Rebel Alliance Developer Netgate

    There is a chance this may behave better on 2.5.0 since it's been converted to the new swanctl format for IPsec config. Though since it defers to RADIUS it still might not keep records in that location for that type of setup.


Log in to reply