The pfSense Store

Author Topic: Multiple IPSEC IkeV2 "access levels"  (Read 142 times)

0 Members and 1 Guest are viewing this topic.

Offline gelcom

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +0/-0
    • View Profile
Multiple IPSEC IkeV2 "access levels"
« on: December 26, 2017, 03:31:19 pm »
Guys, I have succesfully setup an IKEv2 VPN server on my pfsense box. I use it to connect my Iphone to my local LAN as well as send all internet traffic from my phone through VPN Tunnel so internet traffic goes via pfsense WAN.

Now, I'd like to go one step further: I'd like to have another Iphone to connect to this VPN but don't allow it to access my LAN, just Internet.

Is it possible to have 2 different "profiles" to the same IKEv2 Server on pfSense? First phone with access to LAN and Internet in the tunnel and the other client with access to Internet and not the LAN?

How to accomplish that?

please point me to the right direction here.

kind regards

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 405
  • Karma: +34/-0
    • View Profile
Re: Multiple IPSEC IkeV2 "access levels"
« Reply #1 on: December 26, 2017, 03:39:02 pm »
You can't via IPsec.

The only way round this is to set up freeradius, get it to do your user auth and hand out specific IP addresses to the IPSec clients :-

https://forum.pfsense.org/index.php?topic=140639.msg768291#msg768291

You then need to modify your firewall rules to suit the client on the IPSec tab.

"andy" Cleartext-Password := "XXXXXXXXXX", Simultaneous-Use := "1", NAS-Identifier == strongSwan

   Framed-IP-Address = 172.16.9.1,
   Framed-IP-Netmask = 255.255.255.0,
   Framed-Route = "0.0.0.0/0 172.16.0.1 1"

The NAS-Identifier == strongSwan stops the user using their details for WPA Enterprise logins.
« Last Edit: December 26, 2017, 04:25:59 pm by NogBadTheBad »

Offline gelcom

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +0/-0
    • View Profile
Re: Multiple IPSEC IkeV2 "access levels"
« Reply #2 on: December 28, 2017, 06:41:42 am »
Thanks. It worked perfectly!

The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.

Before Radius loginn, IPSEC widget showed active connections based on Virtual IPs provided by IPsec mobile clients. From the point I set up freeRADIUS to set client's IP this information is missing and I have no place to see which users are logged in.
Am I missing something?

The NAS-Identifier == strongSwan stops the user using their details for WPA Enterprise logins.
This is not clear to me. What's the difference with this additional NAS-Identifier==stringSwan?
BTW, it's NAS-Identifier == strongSwan or NAS-Identifier == "strongSwan"

kind regards

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 405
  • Karma: +34/-0
    • View Profile
Re: Multiple IPSEC IkeV2 "access levels"
« Reply #3 on: December 28, 2017, 07:43:52 am »
Thanks. It worked perfectly!

The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.

This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan

Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs.

RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan.

You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn.

2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827
   User-Name = "andy"
   NAS-IP-Address = 172.16.1.11
   NAS-Port = 0
   Framed-IP-Address = 172.16.2.41
   Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius"
   Calling-Station-Id = "D0-4F-7E-85-D9-BE"
   NAS-Identifier = "802aa8969d8c"
   NAS-Port-Type = Wireless-802.11
   Acct-Status-Type = Start
   Acct-Session-Id = "5A44C1A4-0000000F"
   Acct-Authentic = RADIUS
   Connect-Info = "CONNECT 0Mbps 802.11b"
   Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

   
2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014
   User-Name = "andy-ipad"
   NAS-IP-Address = xx.xx.xx.xx
   NAS-Port = 47
   Service-Type = Framed-User
   State = 0x3011d33a3212c931f791fe04904119c2
   Called-Station-Id = "xx.xx.xx.xx[4500]"
   Calling-Station-Id = "172.16.2.41[4500]"
   NAS-Identifier = "strongSwan"
   NAS-Port-Type = Virtual
   EAP-Message = 0x020300061a03
   Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f
   NAS-Port-Id = "con1"
   Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

« Last Edit: December 28, 2017, 10:03:37 am by NogBadTheBad »