IPsec Mobile Group based Firewall rules - Multiple IP pools?

  • Hi

    I desperately looking for solutions to assign different firewall rules to different groups of users using IKEv2 Mobile IPSec VPN - impressively pfsense still does not support this, which renders pfSense IPsec Mobile VPN useless in larger environments.

    I’m using EAP-Radius authentication to a Windows NPS server, but pfSense cannot use a returned group identifier to assign group rights/firewall rules.
    Nor can it use the Cisco-AV-Pair ACL’s since we are using EAP-Radius authentication.

    Since IPsec rules are interface based - one size fits all -
    The only possible way to differentiate users so far is to assign a static IP to each user by returning the Framed-IP-Address attribute, but that does not scale well with 8000 users needing individual rules on a Windows NPS server :-)

    So my last attempt is this:
    Is there any way to setup multiple Virtual IP pools instead of just one one for IPsec Mobile users? The Radius server can return a Framed-Pool identifier, and if pfsense could use that to select which pool a user gets and IP from, then I could easily make different Firewall rules based on Windows group membership via radius authentication.

  • Galactic Empire

    @keyser said in IPsec Mobile Group based Firewall rules - Multiple IP pools?:

    IPsec Mobile VPN

    Use Framed-IP addresses in Radius, then create firewall rules based on the ip address handed out.

    A bit of a pain but it works.

  • Yeah, but like I said, that does not work for us as we are currently about 8000 users with a high churn in new users.
    8000+ Radius policies and 10 - 100+ new policies per day is not a solution

  • @keyser
    there is one idea - but I need to understand , is there something in common in the usernames belonging to the same group ?

  • Unfortunately not.

    I'm baffled that IPsec Mobile does not have any integration features towards Radius to allow for firewall rules separation.
    It must truely only be meant for Site-to-Site.... with Mobile User being a "bolt on" that really only has Site-to-Site features.

Log in to reply