Netgate SG-1000 microFirewall

Author Topic: [Feature/Extension] Road warrior subnet per EAP-identity  (Read 259 times)

0 Members and 1 Guest are viewing this topic.

Offline Hobby-Student

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-1
    • View Profile
[Feature/Extension] Road warrior subnet per EAP-identity
« on: January 10, 2018, 12:56:25 pm »
Hey guys and girls,

I had to solve a situation, where multiple road warriors should receive different IP(-subnets). Using pfSense 2.4.2p1 is not able to do this via GUI. I did it quick n dirty:

pre-information
IKEv2 with EAP-MSChapv2 (working in default pfSense without modifications)
1.1.1.0/24 = pfSense LAN
2.2.2.254 = pfSense WAN
"mobile Clients" is the only Phase 1
only one Phase 2 with 0.0.0.0/0

default (created by gui)
Code: [Select]
config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = 1.1.1.0/24
        rightsubnet = 1.1.1.0/24
        authby = never
        type = passthrough
        auto = route

conn con1
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = no

        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = none
        auto = add
        left = 2.2.2.254
        right = %any
        leftid = fqdn:vpn.domain.de
        ikelifetime = 10800s
        lifetime = 3600s
        ike = aes256-sha512-modp4096!
        esp = aes256-sha512-modp4096!
        leftauth=pubkey
        rightauth=eap-mschapv2
        leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
        leftsendcert=always
        leftsubnet = 0.0.0.0/0
        eap_identity=%any
        rightsourceip = 3.3.3.0/24

just adding this into /etc/inc/vpn.inc (to overwrite pfSense generated file)
Code: [Select]
conn road-1
        also=con1
        eap_identity=%identity
        rightsourceip = 4.4.4.0/24
        rightid = "user-1@domain.de"

conn road-2
        also=con1
        eap_identity=%identity
        rightsourceip = 5.5.5.0/24
        rightid = "user-2@domain.de"

how is it working?
every road warrior not specified in ipsec.conf will receive an IP in 3.3.3.0/24
every seperated listed road warrior will receive an IP in the specified subnet

you also could assign one unique IP per entry (6.6.6.1/32)

Why?
Different identities (subnets / IP's) for different firewall rules  ;)


I had no time for modifiying the GUI... everything is hardcoded in /etc/inc/vpn.inc. If someone has some time to integrate this...?

EDIT
you can enhance my quick'n'dirty mod by using leftsubnet in those conn- extensions. so you can have more control over IPsec connections in general and not just by firewall rules.
« Last Edit: January 10, 2018, 02:29:24 pm by Hobby-Student »

Offline Hobby-Student

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-1
    • View Profile
Re: [Feature/Extension] Road warrior subnet per EAP-identity
« Reply #1 on: January 11, 2018, 03:39:02 am »
So here is the "mod" in /etc/inc/vpn.inc

Code: [Select]
1387                         } else {
1388                                 if (isset($ph1ent['mobile'])) {
1389                                         $ipsecfin = "\nconn con-mobile\n";
1390                                 }
1391                                 else {
1392                                         $ipsecfin = "\nconn con{$ph1ent['ikeid']}\n";
1393                                 }
1394                                 //if (!empty($reqids[$idx])) {
1395                                 //      $ipsecfin .= "\treqid = " . $reqids[0] . "\n";
1396                                 //}
1397                                 $ipsecfin .= $ipsecconnect;
1398                                 if (!isset($ph1ent['mobile']) && !empty($rightsubnet_spec)) {
1399                                         $tempsubnets = array();
1400                                         foreach ($rightsubnet_spec as $rightsubnet) {
1401                                                 $tempsubnets[$rightsubnet] = $rightsubnet;
1402                                         }
1403                                         $ipsecfin .= "\trightsubnet = " . join(",", $tempsubnets) . "\n";
1404                                         unset($tempsubnets, $rightsubnet);
1405                                 }
1406                                 if (!empty($leftsubnet_spec)) {
1407                                         $tempsubnets = array();
1408                                         foreach ($leftsubnet_spec as $leftsubnet) {
1409                                                 $tempsubnets[$leftsubnet] = $leftsubnet;
1410                                         }
1411                                         $ipsecfin .= "\tleftsubnet = " . join(",", $tempsubnets) . "\n";
1412                                         unset($tempsubnets, $leftsubnet);
1413                                 }
1414                                 if (isset($ph1ent['mobile'])) {
1415                                         $ipsecfin .= "\n";
1416                                         $ipsecfin .= "conn mobile-1\n";
1417                                         $ipsecfin .= "\talso = con-mobile\n";
1418                                         $ipsecfin .= "\teap_identity = %identity\n";
1419                                         $ipsecfin .= "\trightsourceip = 1.1.1.0/24\n";
1420                                         $ipsecfin .= "\trightid = email:user-1@domain.de\n";
1421
1422                                         $ipsecfin .= "\n";
1423                                         $ipsecfin .= "conn mobile-2\n";
1424                                         $ipsecfin .= "\talso = con-mobile\n";
1425                                         $ipsecfin .= "\teap_identity = %identity\n";
1426                                         $ipsecfin .= "\trightsourceip = 2.2.2.2/32\n";
1427                                         $ipsecfin .= "\trightid = email:user-2@domain.de\n";
1428                                         $ipsecfin .= "\tleftsubnet = 10.10.10.0/24\n";
1429
1430                                         $ipsecfin .= "\n";
1431                                         $ipsecfin .= "conn mobile-3\n";
1432                                         $ipsecfin .= "\talso = con-mobile\n";
1433                                         $ipsecfin .= "\teap_identity = %identity\n";
1434                                         $ipsecfin .= "\trightsourceip = 1.1.1.0/24\n";
1435                                         $ipsecfin .= "\trightid = email:user-3@other-domain.de\n";
1436                                 }
1437                         }
1438                         $ipsecconf .= $ipsecfin;
1439                         unset($ipsecfin);

lines changed
1388 - 1393
1414 - 1436

mobile Users in con-mobile (defaults to con1, standard configuration via GUI) are assigned a blocked IP (no firewall rule or blocked) address eg. 192.168.1.0/24

it's not as comfortable as via the GUI, but I now have full control of which user can access specific resources - both, firewall and routing.
Of course, you need the firewall rules in IPsec tab.

Offline NogBadTheBad

  • Hero Member
  • *****
  • Posts: 600
  • Karma: +48/-0
    • View Profile
Re: [Feature/Extension] Road warrior subnet per EAP-identity
« Reply #2 on: January 11, 2018, 09:11:48 am »
Or you could have used FreeRADIUS to assign individual IP addresses to each user.


Offline Hobby-Student

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-1
    • View Profile
Re: [Feature/Extension] Road warrior subnet per EAP-identity
« Reply #3 on: January 12, 2018, 03:44:41 am »
Or you could have used FreeRADIUS to assign individual IP addresses to each user.

A customer of mine has only 3 permanent mobile users and 1 for remote assistance (some special devices). He needs to seperate them in different subnets. Adding an extra instance like RADIUS would be overkill.

Why not using the builtin function? IPsec daemon can handle this with few extra lines (yes, of course. pfSense itself needs more lines to be extended). I think it should be worth to think about it and perhaps include it in pfSense.

I have to say, that I haven't used RADIUS till now. But what I read is, that it uses certificates which would also have to be rolled out (CA) in some scenarios. I know how to manage certificates, but less hassle with client machines makes the customer more happy ;)

Offline NogBadTheBad

  • Hero Member
  • *****
  • Posts: 600
  • Karma: +48/-0
    • View Profile
Re: [Feature/Extension] Road warrior subnet per EAP-identity
« Reply #4 on: January 12, 2018, 05:52:07 am »
You can frame the IP address thats handed out to the client and base your IPsec firewall rules on the Framed-IP-Address.

"andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1", Expiration := "Jan 01 2020"

   Framed-IP-Address = 172.16.9.1,
   Framed-IP-Netmask = 255.255.255.0,
   Framed-Route = "0.0.0.0/0 172.16.0.1 1"

I'm always reluctant to tell people to tweak config files using a text editor  :)

Does /etc/inc/vpn.inc get over written with each update ?

Offline Hobby-Student

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-1
    • View Profile
Re: [Feature/Extension] Road warrior subnet per EAP-identity
« Reply #5 on: January 12, 2018, 10:24:23 am »
The only reason why I edit vpn.inc is because I had no time to extend the GUI.  ;)
The goal was not to use any directory/RADIUS for this. I was reading the strongswan configuration possibilities and found what I was writing.

Ifs someone has some free time to extend the GUI with this basic strongswan feature, more people could benefit by this. For now, I have no clue how to add it to the GUI. It's not the lack of knowledge, it's the lack of having an idea how to make it easy usable... should I extend the Phase 1 form or the Pre-shared Key section?!



Offline Hobby-Student

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-1
    • View Profile