Hi there,
i want to allow a limited user to just setup ipsec tunnels.
The permission to edit Pre-Shared-Keys is granted, but the menu item is missing.
using the direct link (ui/ipsec/pre_shared_keys/) is not working, the user is redirected to the dashboard.
If i remove the trailing slash an empty pages shows up, but no existing keys are shown or new keys could be setup.
after searching in the forums i found an hint that there could be an issue with the ACLs.
So i modified the relating ACL.xml to match with the urls involved to resolve this problem - but my changes got killed by the last update :(
IPSec/ACL/ACL.xml
<name>VPN: IPsec: Edit Pre-Shared Keys</name>
<patterns>
<pattern>ui/ipsec/pre_shared_keys</pattern>
<pattern>api/ipsec/pre_shared_keys</pattern>
</patterns>
vs. url in the menu with trailing slash
IPsec/Menu/Menu.xml
<Keys order="30" VisibleName="Pre-Shared Keys" url="/ui/ipsec/pre_shared_keys/"/>
<KeyPairs order="40" VisibleName="Key Pairs" url="/ui/ipsec/key_pairs" />
<Settings order="50" VisibleName="Mobile & Advanced Settings" url="/ui/ipsec/connections/settings"/>
<Status order="60" VisibleName="Status Overview" url="/ui/ipsec/sessions"/>
my changes
<name>VPN: IPsec: Edit Pre-Shared Keys</name>
<patterns>
<pattern>ui/ipsec/pre_shared_keys/*</pattern>
<pattern>api/ipsec/pre_shared_keys/*</pattern>
</patterns>
Maybe this behavior is related to outstanding changes regarding old MVC (https://github.com/opnsense/core/issues/8306#issuecomment-2649006697)
Thanks in advance!
Hi hasp,
Thanks for the report. To me it looks like this is what you're looking for?
https://github.com/opnsense/core/commit/51a5118d6e2
Cheers,
Franco
Hi again,
i think i hit another one ...
my limited user is not able to apply changes after a new connection is created or an existing is modified.
the relevant api endpoint seems to be `api/ipsec/service/reconfigure` but there is no ACL for that at all.
imho that should/could be added to the `VPN: IPsec: Connections` permission.
What do you think?!
PS: is there a cli command to reload the ACLs after manual modification - atm i just restart the system.
> PS: is there a cli command to reload the ACLs after manual modification - atm i just restart the system.
# rm /tmp/opnsense_acl_cache.json
I'll take a look at the other thing.
Cheers,
Franco
# opnsense-patch https://github.com/opnsense/core/commit/54fed30c
(opnsense-patch takes care of clearing the cache files for you)
Cheers,
Franco
One more
# opnsense-patch https://github.com/opnsense/core/commit/5a2e399586
Cheers,
Franco
Thanks Franco,
i'll will check/test.
Apply changes works now - Perfect!
Best regards from Merseburg ;)
Hehe, greetings from a neighbour then :)
PS: Apparently very few people use IPsec in role-based setups, but no reason not to fix it.