IPSec: Mobile clients / Roadwarrior multiple groups (=PSK)

Started by hbc, March 04, 2019, 02:58:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 04, 2019, 02:58:58 PM
Hi,

I want to migrate from quite old cisco concentrator  ::) to OPNsense. My problem are the multiple clients groups.
Cisco is configured for three road warrior groups, each with own PSK.

Per default OPNsense only allows one mobile client configuration. Via manual duplication of phase1 block in config.xml and restoring the modded version, I was able to setup more mobile clients. Each one has its own PSK.

But unfortunatelly it will not work. Only the last phase 1 entry is working. I already tried to modify ipsec.secrets and replaced WAN ip with %any or %any6.

Quote
Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a Road Warrior connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, a selector of %any will match the peer's IP address if IPV4 and %any6 will match a the peer's IP address if IPv6. Currently, the obsolete notation 0.0.0.0 may be used in place of %any.
When using IKEv1 an additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address.

It does not seem that all PSKs are tried up-down to find the fitting one. But since road warriors have dynamic ips, I have to use %any/%any6.

Any ideas how to fix this?
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
March 07, 2019, 05:11:17 PM #1
Hi,

I am currently facing a similar problem here:
https://translate.google.de/translate?sl=auto&tl=en&u=https%3A%2F%2Fforum.opnsense.org%2Findex.php%3Ftopic%3D11847

Up to now I only have found this - maybe - possible option:
https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius#RADIUS-attribute-forwarding

Basically using EAP-Radius and passing the Class attribute back to StrongSwan. From there assigning a dedicated IP pool per group.

So I would also require more than one Mobile Client connection.....
March 08, 2019, 07:58:03 PM #2
Hi,

so we created a PR
https://github.com/opnsense/core/pull/3298
for our feature request
https://github.com/opnsense/core/issues/3295

If you want you could try the patch like this:

On the Shell of a recent opnsense installation (19.1.3) execute
opnsense-patch -a godmodelabs -c core -r opnsense-core 84a895464f34661a4770e6c830cf4a5341aaf843

Under VPN -> IPsec -> Mobile Clients there should be a Expert Tunnel Config.

With some StrongSwan ipsec.conf knowledge you should be able to create your configuration directly there. In the feature request there is a sample config...

Best regards
Rainer
March 16, 2019, 05:33:57 PM #3
Thank, I will give it a try.

I found a solution to make a compatible configuration that allows 3 PSK groups, but I had to configure strongswan.conf, ipsec.conf and ipsec.secrets manually.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
March 21, 2019, 04:57:00 PM #4
I wrote a HowTo for our setup. Maybe that helps since I use include files as well.
https://forum.opnsense.org/index.php?topic=12147.0
Print
Go Up Pages1
User actions