[Feature request] VPN IPsec Mobile Clients: Radius: Assign specific virtual IP range to users in specific groups

[stumbaumr]

Is your feature request related to a problem? Please describe.
I would like to assign IPsec mobile users into separate virtual IP pools. I require this to allow/prohibit access to users in certain groups to specific network resources.

Example: Three groups (Admins, Developers, Users) have separate virtual IP pools. These network ranges are then used in firewall rules on the current IPsec peer or even on another firewall behind a IPsec tunnel in a different location.

The groups and users are configured on a remote Radius server.

Describe the solution you'd like
I would like to use the "Group Selection" feature described here:
https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadius

I understand that this is a very specific setup. So maybe it would be best to have a text field "Advanced Configuration" where the content is saved into /usr/local/etc/ipsec.advanced.conf and an include ipsec.advanced.conf statement in ipsec.conf. Almost same as OpenVPN has it.

For strongswan.conf the only requirement is to add class_group = yes to the eap-radius section. It seems it does not hurt in case it is set and no class is passed back from the Radius server.

Describe alternatives you've considered
As far as I understand there is currently no functionality that allows users to be assigned into specific virtual IP ranges.

And from my searches it seems I am not the first person to ask.

Here is my tested configuration I would like in ipsec.advanced.conf

conn mobile
  aggressive = no
  fragmentation = yes
  keyexchange = ike
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = yes
  installpolicy = yes
  ikelifetime = 28800s
  ike = aes256-aesxcbc-modp2048,aes256-aesxcbc-modp1024,aes256-sha512-modp2048,aes256-sha512-modp1024,aes256-sha384-modp2048,aes256-sha384-modp1024,aes256-sha256-modp2048,aes256-sha256-modp1024!
  dpdaction = clear
  dpddelay = 10s
  dpdtimeout = 60s
  left = XX.XX.XX.XX
  leftid = vpn.example.com
  leftauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-2.crt
  leftsendcert = always
  rightsendcert = never
  right = %any

conn mobile-ops
  also = mobile
  rightauth=eap-radius
  eap_identity = %any
  rightgroups="VPN-OPS" 
  leftsubnet=10.0.0.0/8,192.168.0.0/22
  rightsourceip = 10.20.35.32/28
  auto = add

conn mobile-dev
  also = mobile
  rightauth=eap-radius
  eap_identity = %any
  rightgroups="VPN-DEV" 
  leftsubnet=10.0.0.0/8
  rightsourceip = 10.20.35.0/27
  auto = add

conn mobile-user
  also = mobile
  rightauth=eap-radius
  eap_identity = %any
  rightgroups="VPN-USER" 
  leftsubnet=10.0.0.0/8
  rightsourceip = 10.20.35.128/25
  auto = add

Do you think there is a chance of a PR for this being accepted?

[mimugmail]

Currently this only works with OpenVPN. For IPSec you can only use one Pool / Policy.

[stumbaumr]

The above config example will create three policies (three phase 1 with four phase 2). So yes, one virtual IP pool (rightsourceip) per policy.

Maybe the output of ipsec statusall makes it a little bit clearer... (redacted...)

root@opnsense01:/usr/local/etc # ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, FreeBSD 11.2-RELEASE-p9-HBSD, amd64):
  uptime: 69 seconds, since Mar 08 06:41:08 2019
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
Virtual IP pools (size/online/offline):
  10.20.36.32/28: 14/0/0
  10.20.36.0/27: 30/1/0
  10.20.36.128/25: 126/0/0
Listening IP addresses:
  XX.XX.XX.130
Connections:
  mobile-ops:  XX.XX.XX.130...%any  IKEv1/2, dpddelay=10s
  mobile-ops:   local:  [vpn.example.com] uses public key authentication
  mobile-ops:    cert:  "CN=vpn.example.com"
  mobile-ops:   remote: uses EAP_RADIUS authentication with EAP identity '%any'
  mobile-ops:    group: VPN-OPS
  mobile-ops:   child:  10.0.0.0/8 192.168.0.0/22 === dynamic TUNNEL, dpdaction=clear
  mobile-dev:  XX.XX.XX.130...%any  IKEv1/2, dpddelay=10s
  mobile-dev:   local:  [vpn.example.com] uses public key authentication
  mobile-dev:    cert:  "CN=vpn.example.com"
  mobile-dev:   remote: uses EAP_RADIUS authentication with EAP identity '%any'
  mobile-dev:    group: VPN-DEV
  mobile-dev:   child:  10.0.0.0/8 === dynamic TUNNEL, dpdaction=clear
 mobile-user:  XX.XX.XX.130...%any  IKEv1/2, dpddelay=10s
 mobile-user:   local:  [vpn.example.com] uses public key authentication
 mobile-user:    cert:  "CN=vpn.example.com"
 mobile-user:   remote: uses EAP_RADIUS authentication with EAP identity '%any'
 mobile-user:    group: VPN-USER
 mobile-user:   child:  10.0.0.0/8 === dynamic TUNNEL, dpdaction=clear
Security Associations (3 up, 0 connecting):
  mobile-dev[3]: ESTABLISHED 7 seconds ago, XX.XX.XX.130[vpn-ikev2.boerse-go.de]...XX.XX.XX.141[192.168.178.58]
  mobile-dev[3]: Remote EAP identity: stumbaumr
  mobile-dev[3]: IKEv2 SPIs: ab8c66ff87c91b01_i ea8af2b328c0c4ca_r*, public key reauthentication in 7 hours
  mobile-dev[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  mobile-dev{3}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: ce36959c_i 0cc26072_o
  mobile-dev{3}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
  mobile-dev{3}:   10.0.0.0/8 === 10.20.36.1/32
root@opnsense01:/usr/local/etc #

[mimugmail]

When you search the closed issues you will find one of me asking the same. There are some problems when mixing auth types.

I know it's technically easy to implement via CLI but quite a lot of rewrite for the UI part.

[stumbaumr]

I know it's technically easy to implement via CLI but quite a lot of rewrite for the UI part.

Very true!

That is why I wanted to suggest a "Advanced Configuration" Text Box. I am sure that my requirement is very specific and not worth implementing/maintaining it in the GUI. But currently any reconfiguration/restart of the IPsec will break my configuration from the command line and I have no backup/version management of it.

That is why I was asking if a PR for a "Advanced Configuration" Text Box would stand a chance.

[stumbaumr]

So we created a PR for that then...

[stumbaumr]

So this actually works for us. It is not as nice as PR #3298 since there is no config backup and no config sync to the HA backup system.

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

[stumbaumr]

Since 23.1 swanctl.conf is used and ipsec.conf has been abolished.
The tutorial to assign IP address ranges based on the class_group no longer works.
After looking through the new VPN->IPsec->Connections it would be awesome to just add "Class" as additional field when selecting "EAP Radius" as Authentication. Adding it using include files is error prone since the UUID generated seems to change sometimes...
This also requires to add class_group = yes in strongswan.conf in the eap-radius section - this should be done when the checkbox "Synchronize groups" in System->Access->Servers for a Radius server is set.

@AdSchellevis Any chance a PR for this would be accepted?

[AdSchellevis]

@stumbaumr if it's not too large, I'm certainly willing to take a look. is there any downside in always adding "class_group = yes" in strongswan?

[stumbaumr]

Just remembered there was this "Synchronize groups" checkbox in the Radius server setup - I would base it on that.

[stumbaumr]

To get class_group working this needs to be added:

root@OPNsense:/usr/local/etc # cat strongswan.opnsense.d/strongswan.mobile.conf
charon {
    plugins {
        eap-radius {
            class_group = yes
        }
    }
}
root@OPNsense:/usr/local/etc # cat swanctl/conf.d/groups.conf
# https://www.strongswan.org/testing/testresults/ikev2/rw-eap-md5-class-radius/moon.swanctl.conf
connections {
    9940a14e-3aa7-4346-a174-03bee3e727f7 {
        remote-7d99b294-06a9-4db8-a9d7-0df5ca994da8 {
            eap_id = %any
            groups = VPN-OPS
        }
    }
}

root@OPNsense:/usr/local/etc #

It looks like %any can not be set in the WebGUI for eap_id and the default is id according to the documentation.

[stumbaumr]

So here is the PR for this... #6826

I left the fix for #6824 out of it since @AdSchellevis assigned it to himself already...

[Monviech]

@stumbaumr It was total coincidence that I was led on the same path with the eap_id. Hope it didn't complicate things for you.

[stumbaumr]

@Monviech At least it puts more eyes on the issue and hopefully speeds up the resolution...

[stumbaumr]

@AdSchellevis , do I need to reopen this issue so the PR #6826 related to it is not forgotten? I see no option here in the issue to reopen it - should I create a new issue?

[fichtner]

@stumbaumr this this wasn't closed because of a shipped feature I've reopened and tagged it accordingly

[AdSchellevis]

@stumbaumr a variation of your request has been merged in 928d2f8. thanks!

[stumbaumr]

@AdSchellevis It looks like you are not adding the selected group into the remote section. So the first available section is assigned to every user... which in my case is the admin group... bummer...

        remote-7d99b294-06a9-4db8-a9d7-0df5ca994da8 {
            round = 0
            auth = eap-radius
            eap_id = %any
        }

Parameter groups is missing there... compare with #3295 (comment)

[AdSchellevis]

ok, I do seem to inject the wrong payload (gid), but on my end there certainly is something when selected.

        remote-76bec83c-0dc4-45d9-91b0-16f7ecbec186 {
            round = 0
            auth = eap-radius
            groups = 2001,2002,2011
        }

[stumbaumr]

Ok, I think I found the mistake - I applied just the patch to the current 23.7.9 - obviously there is a lot missing to the 24.1 ...

[fichtner]

Might just be af46866 which came in after the fact :)

[stumbaumr]

So I installed the development version on a test system today and tested it. Seems all ok!

Thanks so much!!!