English Forums > Tutorials and FAQs
HOWTO:IPsec IKEv2 clients: Split tunnel / EAP Radius / Virtual IP pool per group
rainerle:
The HA configuration sync only sends specific sections from the XML config file to the backup node.
So rsync for those three specific directories is how I do it currently...
And speaking of HA: IPsec connections are in case of a failover not taken over anyway. There is a StrongSwan HA plugin existing, but not implemented in OPNsense...
https://wiki.strongswan.org/projects/strongswan/wiki/highavailability
This shows the config of a active-passive setup
https://www.strongswan.org/testing/testresults/ha/active-passive/
hbc:
Ok, finally I managed to get a working configuration. Everything done in new include directories.
Just enabled IPSEC and IKE without further configuration. So ipsec.secrets and ipsec.conf just have the include line. strongswan.conf has some more defaults.
I setup three policies like in example to assign groups via radius attribute 25 (class). This works, but it keeps the rightsourceip of the first matched entry.
--- Code: ---Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|2> selected peer config 'mobileIPv4-ike2-Employees'
...
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> sending RADIUS Access-Request to server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received RADIUS Access-Accept from server 'addc1'
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> received group membership 'Admins' from RADIUS
Mar 28 11:13:25 hbc-gw01 charon: 10[CFG] <mobileIPv4-ike2-Employees|7> reassigning offline lease to 'acme\admin'
--- End code ---
The first matching entry mobileIPv4-ike2-Employees is matched. Then RADIUS is done, group assignment sent and now I expect it to switch to mobileIPv4-ike2-Admins and get an ip from admin pool. But I get ip address from mobileIPv4-ike2-Employees pool.
The RADIUS request should be done before selecting peer configuration because the peer configuration depends on the returned class attribute. What am I doing wrong?
rainerle:
Hm, somehow the brain2brain link is not working... I failed to receive your config files :-\
hbc:
Haha. It is the same like in your provided ones.
ipsec.conf
--- Code: ---config setup
uniqueids = never
conn mobileIPv4-ike2
aggressive = no
fragmentation = yes
keyexchange = ikev2
mobike = yes
reauth = yes
rekey = yes
forceencaps = yes
installpolicy = yes
type = tunnel
dpdaction = clear
dpddelay = 10s
dpdtimeout = 60s
left = X.X.X.X
right = %any
leftid = vpn.gateway.local
ikelifetime = 28800s
lifetime = 3600s
rightsourceip = 172.16.0.0/24
# See https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
ike = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
esp = aes256-sha256-modp2048,aes256-sha256-ecp256,aes128-sha256-modp2048!
leftauth = pubkey
rightauth = eap-radius
rightsendcert = never
eap_identity = %any
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
reqid = 1000
conn mobileIPv4-ike2-Employees
also = mobileIPv4-ike2
rightgroup = "Employees"
rightsourceip = 172.16.0.0/24
leftsubnet = 0.0.0.0/0
auto = add
conn mobileIPv4-ike2-Admins
also = mobileIPv4-ike2
rightgroup = "Admins"
rightsourceip = 172.17.0.0/24
leftsubnet = 0.0.0.0/0
auto = add
--- End code ---
strongswan.conf
--- Code: ---starter {
load_warning = no
}
charon {
cisco_unity = yes
plugins {
eap-radius {
servers {
addc1 {
address = X.X.X.X
secret = "2secret"
auth_port = 1812
acct_port = 1813
}
}
accounting = yes
# Activate passing the radius class attribute as rightgroup
class_group = yes
}
}
}
--- End code ---
rainerle:
Mmmmh, looking through your config:
- leave the reqid and rightsourceip in conn mobileIPv4-ike2 away
- The parameter rightgroup is missing a trailing s (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection )
I think the missing s is the problem here...
Sorry for the late reply...
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version