Distinguishing multiple IPSec road warrior connections to same WAN interface

[danielm]

Hello,

We have been using a basic IPSec road warrior setup with MS-CHAPv2 authentication for some years successfully.
It is used to make it possible for users to access a few internal networks to e.g. print from home.
Now the need has arisen to have a way for admins to connect in and reach a wider range of internal networks, including sensitive ones.
Obviously, non-admins must not be able to connect into the more sensitive parts of the network.

To accomplish this, I was thinking about creating a separate IPSec connection and limit it to admin users.
But before I can even start, I already see the problem of distinguishing the two connections from the remote end?
Also, I see no way of defining a separate PSK database for the admin users, or restricting/enlarging the set of reachable subnets for any single user.
At the moment, there is just a single MS-CHAPv2 authentication method defined for all users (EAP-ID '%any'), which are all defined in the PSK database (IPSec -> Pre-Shared Keys)

Is it possible to configure this all, ideally using MS-CHAPv2 for users and admins, possibly using separate IPSec connections?
If so, how could this be done?

[Monviech (Cedrik)]

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html

Read all but focus on static IP per Roadwarrior method.

[danielm]

Hello and thanks for your reply,

I skimmed through the static IP per Roadwarrior section (have used the other sections before to setup what we have now) - so this seems to do the distinction part that i was stuck with, correct?
Multiple different connections with different authentication makes the system able to pick the right connection by user id?
If this is the way, doesn't this make it necessary to create one connection for every user?
So i would need 9 different connections for our 9 different users?
The nice part about the old solution is that with the %any ID, it does deduplicate the configuration effort nicely.

Just trying to make sense of your hint, but i would hope there is a simpler way to accomplish this maybe - even though it is nice that it is possible at all.

[Monviech (Cedrik)]

Yes method 2 is the distinction as it uses one unique "Connection + Child + Pool" (aka Phase 1 + Phase 2 + IP address pool) per user.

This will create a lot of tunnels depending on the user amount.

If unsure, OpenVPN might be the better choice as you can match users with automatic OpenVPN Group aliases.

[danielm]

Hello and thanks for your reply,

If that is so, OpenVPN does sound like the superior solution, but, in our case, it is important that the default Windows VPN client can be used, and AFAIK, OpenVPN does rely on separately installed and maintained client software, which is unfortunate.
Otherwise, i wouldn't hesitate to use that instead, but since we have less than 15 users in the forseeable future, the IPSec way still seems to be less hassle.
Is it indeed correct that users cannot share pools in the IPSec scenario?
Then it would seem sensible to have something like a /28 or a /27 pool for each, splitting one /24 block for up to 16 users.

[Monviech (Cedrik)]

You cannot share pools, how else can you control that users always get the same IP, the individual firewall rules depends on it. Also because each user gets a single matching traffic selector in their tunnel. This means they cannot trick their way around this.

I wrote the docs Im referencing based on a real life production setup I was using, with the NCP client.

[danielm]

Thanks for your reply,

With the pool sharing i was thinking more along the lines of one pool per "security group", e.g. one pool for the normal users and one pool for the admins.
Having only basic understanding of the technical implementation of IPSec, your answer sounds like this could disturb IPSec's ability to properly distinguish the traffic (traffic selector)?
Definitely the 16 addresses for 16 users each sounds like my best bet then.

[danielm]

Just to give an update and share a little piece of interesting info:
I was able to setup the system using the provided docs for static assignment, but improving upon it by not actually doing static IP assignment. Using the EAP ID, it is possible to distinguish users in the connection settings. Then, each user can get a pool depending on his permissions, e.g. i now have one pool for "office-workers" and one pool for admins. Depending on that pool, firewall aliases and rules can be generated to accomodate the permissions. Problem solved. No need for each user having its own pool (as long as there are distinguishable groups regarding the permissions).

[TheCyberfreak]

Do you have any tips to implement this? I try to achieve the same, but do not manage to authenticate the different EAP-MSCHAP users.

Maybe you could explain your setup. Thank you ☺️