Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC widget "empty" - freeradius assigned client ip

    IPsec
    4
    9
    56
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      three last edited by three

      Hi,

      I have a working IPSec IKEv2 setup for my mobile devices with radius authorization and ip address assignment via radius user profile.

      To secure static IP assignment for vpn clients, I had to leave "Mobile Clients" / "Virtual Address Pool" empty. Otherwise IP addresses are assigned from that pool and radius user profile ip addresses are ignored.

      The consequence is that the IPSec widget becomes useless. Although "Status / IPSec" provides all information about existing connections, the widget itself shows no entries in Overview and Tunnel section as well as a note "No mobile tunnels have been configured" in the Mobile section.

      Anything I could do change this? Or is it a known limitation of the widget? Or ... is there anything I could do to make radius user profile client IP assignment work even though a Virtual Address Pool is assigned?

      BTW: Running everything on latest stable release.

      /t

      1 Reply Last reply Reply Quote 0
      • NogBadTheBad
        NogBadTheBad Galactic Empire last edited by NogBadTheBad

        Works from the Status -> IPsec -> Overview page just not the main page IPsec widget, guess your using Framed-IP addresses in Freeradius ?

        1 Reply Last reply Reply Quote 0
        • T
          three last edited by

          Correct @NogBadTheBad

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @three last edited by

            @three
            All these connections can be seen in the tab
            /Status/IPsec/SPDs

            192.168.200.150	0.0.0.0/0	◄ Inbound	ESP	31.173.82.70 -> 79.XX.XXX.XXX
            0.0.0.0/0	192.168.200.150	► Outbound	ESP	79.XX.XXX.XXX -> 31.173.82.70
            
            1 Reply Last reply Reply Quote 0
            • T
              three last edited by

              Correct ... I was just wondering why they do not pop up in the standard IPSec widget and whether there is anything I can do to let them pop up there as well.

              It just nice to have it right in front of me w/o further digging into the system :)

              1 Reply Last reply Reply Quote 0
              • NogBadTheBad
                NogBadTheBad Galactic Empire last edited by NogBadTheBad

                Looking at the widget code src it gets the info from the mobile pool.

                https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/widgets/widgets/ipsec.widget.php

                1 Reply Last reply Reply Quote 1
                • T
                  three last edited by three

                  Thanks @NogBadTheBad .. that clarifies my options ☺

                  The code looks like an original Chinese Menu Card to me 🍜

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @three last edited by Konstanti

                    @three
                    To get a list of leased ip addresses PF uses the command
                    ipsec leases
                    If you use Radius to get an ip address, this command will not show anything.

                    [2.4.4-RELEASE][admin@ru.m.org]/root: ipsec leases
                    no pools found
                    [2.4.4-RELEASE][admin@ru.m.org]/root: 
                    

                    and if you use the standard settings, then

                    root@fr:/usr/home/konstanti # ipsec leases
                    Leases in pool '192.168.151.0/24', usage: 2/254, 0 online
                        192.168.151.2   offline   'macbookpro2015.m.org'
                        192.168.151.1   online   'sony_xperia.m.org'
                    root@fr:/usr/home/konstanti # 
                    
                    
                    1 Reply Last reply Reply Quote 1
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      There is a chance this may behave better on 2.5.0 since it's been converted to the new swanctl format for IPsec config. Though since it defers to RADIUS it still might not keep records in that location for that type of setup.

                      1 Reply Last reply Reply Quote 2
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy