Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accomodate both RADIUS and pool IP addresses in IPsec. Issue #8160 #4194

Merged
merged 1 commit into from
Feb 20, 2020
Merged

Accomodate both RADIUS and pool IP addresses in IPsec. Issue #8160 #4194

merged 1 commit into from
Feb 20, 2020

Conversation

vktg
Copy link
Contributor

@vktg vktg commented Feb 15, 2020
edited
Loading

fixed and tested copy of #3976: by @Amith211

I have a requirement to be able to have IPSec VPN clients receive their IP addresses via RADIUS for some groups and others from a simple pool. I decided to have a stab at implementing the solution mentioned in Redmine issue 8160.

What done:

the order in which they are queried for virtual IPs depends on the plugin load order (in-memory pools are provided by the stroke and vici plugins, respectively). The order in rightsourceip or pools is irrelevant unless multiple in-memory pools from the same backend are defined.

this is why we need increase the priority of eap-radius plugin by $ssconf['charon']['plugins']['eap-radius']['load'] = "2";
see https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad:

Besides simply enabling/disabling plugins the load setting accepts a numeric priority
value, which the plugin loader uses to decide in which order plugins are loaded. Plugins with the same priority are loaded
according to the default load order, unknown plugins with the same priority are loaded first and in alphabetical order.
The default priority is 1, and can also be negative to simplify moving a plugin to the end of the list.

  • removed line
    $ssconf['starter']['config_file'] = "{$g['varetc_path']}/ipsec/ipsec.conf";
    no such file

  • Fixed creating correct config file when using EAP-RADIUS without pool ( ipsec_setup_pools() used the ipsec.conf-style %radius)

p.s. as I found you can't see mobile clients that get their IP via RADIUS on the Status / IPsec/ Leases page (only under child sa), and their IPs are not added to the tonatsubnets table

jim-p
jim-p requested changes Feb 17, 2020
View reviewed changes
Copy link
Contributor

@jim-p jim-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one little style issue

src/usr/local/www/vpn_ipsec_mobile.php Outdated
@@ -231,6 +236,12 @@
}
}

if ($pconfig['radius_ip_priority_enable']) {
if (!(isset($mobileph1) && $mobileph1['authentication_method'] == 'eap-radius')) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Second test on this line needs parenthesis

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@netgate-git-updates netgate-git-updates merged commit 8b4e89b into pfsense:master Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jim-p jim-p jim-p approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vktg @jim-p @netgate-git-updates