[SOLVED] IPsec roadwarrior Framed-IP-Address

Started by jonybat, November 01, 2022, 01:47:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 01, 2022, 01:47:49 PM Last Edit: November 11, 2022, 12:07:17 PM by jonybat
Hi all

Im trying to get and IPsec roadwarrior setup work with static IPs. After some investigation, i found hints that this should be possible using RADIUS's Framed-IP-Address attribute. However, after a bunch of trial and error, i havent been able to get it working.

The setup:
radius-server
freeradius 3.0.12 on Debian 10

Code Select
rwclient Cleartext-Password := "passw0rd", Simultaneous-Use := "1"
Framed-IP-Address = 192.168.10.99,
Framed-IP-Netmask = 255.255.255.255,
Framed-Route = "10.99.0.0/24 192.168.10.1 1"


OPNsense 22.7.6-amd64
WAN 10.254.1.5/24, behind NAT
LAN 10.99.0.254/24

Mobile clients
Code Select

Enabled
Backend: radius-server
everything else UNSET


Phase1
Code Select

Respond only
IKEv1 main
Mutual PSK + Xauth
IP address identifier
<psk>
AES256 SHA256 PFS14
Lifetime 28800
everything else UNSET


Phase2
Code Select

IPv4 tunnel
LAN subnet
AES256 SHA256 PFS14
Lifetime 3600
everything else UNSET



Client
strongswan 5.9.1 on Debian 11
eth0 IP 192.168.1.105/24

ipsec.conf
Code Select

conn opnsense
  keyexchange=ikev1
  aggressive=no
  ike=aes256-sha256-modp2048
  esp=aes256-sha256-modp2048
  auto=start
  authby=xauthpsk
  leftid=rwclient
  leftsourceip=%modeconfig
  right=<opnsense pub ip>
  rightid=<opnsense pub ip>
  rightsubnet=10.99.0.0/24


ipsec.secrets
Code Select

<opnsense pub ip> : PSK "<psk>"
rwclient: XAUTH "passw0rd"



From OPNsense ipsec log, you can see that peer requests IP, but server does not return one:
Quote2022-11-01T14:35:55   Informational   charon   05[ENC] <con2|8> generating INFORMATIONAL_V1 request 1520615772 [ HASH N(INVAL_ID) ]   
2022-11-01T14:35:55   Informational   charon   05[IKE] <con2|8> no matching CHILD_SA config found for 192.168.1.105/32 === 10.99.0.0/24   
2022-11-01T14:35:55   Informational   charon   05[ENC] <con2|8> parsed QUICK_MODE request 1074724946 [ HASH SA No KE ID ID ]   
2022-11-01T14:35:55   Informational   charon   05[NET] <con2|8> received packet: from 217.140.xxx.xxx[46716] to 10.254.1.5[4500] (460 bytes)   
2022-11-01T14:35:55   Informational   charon   05[NET] <con2|8> sending packet: from 10.254.1.5[4500] to 217.140.xxx.xxx[46716] (76 bytes)   
2022-11-01T14:35:55   Informational   charon   05[ENC] <con2|8> generating TRANSACTION response 1061020512 [ HASH CP ]   
2022-11-01T14:35:55   Informational   charon   05[IKE] <con2|8> no virtual IP found for %any requested by 'rwclient'   
2022-11-01T14:35:55   Informational   charon   05[IKE] <con2|8> peer requested virtual IP %any

If i add an IPv4 pool to the mobile clients settings page, like 192.168.99.0/24, then phase2 is established, but with IP from the pool:
Quote2022-11-01T14:40:10   Informational   charon   11[IKE] <con2|9> CHILD_SA con2{22} established with SPIs cc662891_i cc66c029_o and TS 10.99.0.0/24 === 192.168.99.1/32   
2022-11-01T14:40:10   Informational   charon   11[ENC] <con2|9> parsed QUICK_MODE request 323113376 [ HASH ]   
2022-11-01T14:40:10   Informational   charon   11[NET] <con2|9> received packet: from 217.140.xxx.xxx[46716] to 10.254.1.5[4500] (76 bytes)   
2022-11-01T14:40:10   Informational   charon   11[NET] <con2|9> sending packet: from 10.254.1.5[4500] to 217.140.xxx.xxx[46716] (460 bytes)   
2022-11-01T14:40:10   Informational   charon   11[ENC] <con2|9> generating QUICK_MODE response 323113376 [ HASH SA No KE ID ID ]   
2022-11-01T14:40:10   Informational   charon   11[CFG] <con2|9> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ   
2022-11-01T14:40:10   Informational   charon   11[ENC] <con2|9> parsed QUICK_MODE request 323113376 [ HASH SA No KE ID ID ]   
2022-11-01T14:40:10   Informational   charon   11[NET] <con2|9> received packet: from 217.140.xxx.xxx[46716] to 10.254.1.5[4500] (460 bytes)   
2022-11-01T14:40:10   Informational   charon   11[NET] <con2|9> sending packet: from 10.254.1.5[4500] to 217.140.xxx.xxx[46716] (188 bytes)   
2022-11-01T14:40:10   Informational   charon   11[ENC] <con2|9> generating TRANSACTION response 3117777291 [ HASH CPRP(ADDR SUBNET SUBNET SUBNET SUBNET U_SPLITINC U_SPLITINC U_SPLITINC U_SPLITINC) ]   
2022-11-01T14:40:10   Informational   charon   11[IKE] <con2|9> assigning virtual IP 192.168.99.1 to peer 'rwclient'   
2022-11-01T14:40:10   Informational   charon   11[CFG] <con2|9> assigning new lease to 'rwclient'   
2022-11-01T14:40:10   Informational   charon   11[IKE] <con2|9> peer requested virtual IP %any

I have confirmed that the RADIUS server is returning the correct data, using OPNsense's System > Access > Tester
Code Select
User: rwclient authenticated successfully.
This user is a member of these groups:


Attributes received from server:
Framed-IP-Address => 192.168.10.99
Framed-IP-Netmask => 255.255.255.255
Framed-Route => 10.99.0.0/24 192.168.10.1 1


So, what i want to know is if i am doing something wrong, or if this is a bug/non-implemented in OPNsense

Thanks
November 11, 2022, 12:06:19 PM #1
In case someone hits this, I found an alternative solution.

Using IKEv2 + EAP-RADIUS on OPNsense side, and then EAP-MD5 on client side, does seem to work. Disadvantage is that a CA needs to be pushed to the client, instead of using PSK only.

Client ipsec.conf looks like this now
Code Select
conn opnsense
      auto=start
      keyexchange=ikev2
      ike=aes256-sha256-modp2048
      esp=aes256-sha256-modp2048
      leftid=rwclient
      leftauth=eap-md5
      leftsourceip=%modeconfig
      leftsendcert=no
      right=<opnsense pub ip>
      rightid=rwserver
      rightsubnet=10.99.0.0/24
      closeaction=restart
      dpdaction=restart
      keyingtries=%forever

ipsec.secrets
Code Select
rwclient : EAP "passw0rd"

And OPNsense IPsec log
Quote2022-11-11T13:03:30   Informational   charon   07[IKE] <con2|398> assigning virtual IP 192.168.10.99 to peer 'rwclient'   
2022-11-11T13:03:30   Informational   charon   07[IKE] <con2|398> peer requested virtual IP %any

Still not sure if my original attempt is unsupported, not implemented or broken. I got this hint when i realized that the Framed-IP-Address is documented under strongswan's eap-radius plugin: https://docs.strongswan.org/docs/5.9/plugins/eap-radius.html#_radius_attribute_forwarding
Print
Go Up Pages1
User actions