Enhancement #2294

IPSec: honor VPNClientAccess property

Added by Giacomo Sanchietti almost 8 years ago. Updated over 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-ipsec
Target version:v6.5-beta3
Resolution: NEEDINFO:No

Description

Actual implementation allows all users to use L2TP/IPSec vpn.

Only users with VPNClientAccess should be allowed to use the L2TP tunnel.


Related issues

Related to NethServer 6 - Feature #1957: VPN: support IPsec/L2TP CLOSED 09/17/2013 09/20/2013
Related to NethServer 6 - Feature #2492: Move admin user in LDAP DB CLOSED 12/17/2013 12/19/2013

Associated revisions

Revision 4c775814
Added by Davide Principi over 7 years ago

NethServer::Directory module: added setGroupMembers() method. Refs #2294

Revision c841ec2b
Added by Davide Principi over 7 years ago

Allow L2TP/IPsec access to l2tpusers group members. Refs #2294

The group members list is kept consistent by
nethserver-ipsec-synchronize-l2tpusers action, by selecting any user
with VPNClientAccess=yes prop.

Revision a0d46a1e
Added by Davide Principi over 7 years ago

Create l2tpusers after admin account initialization. Refs #2294 #2492

History

#1 Updated by Davide Principi over 7 years ago

  • Subject changed from IPSec: honor VPNClientAccess peroperty to IPSec: honor VPNClientAccess property

#2 Updated by Davide Principi over 7 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#3 Updated by Davide Principi over 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#4 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

Old version allows accessing to any user in accounts DB. After upgrading to the modified version only users listed in VPN > Accounts are allowed to connect through L2TP/IPsec protocols.

l2tpusers must have gid > 500

#5 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-directory-1.3.0-17.0git4c775814.ns6.noarch.rpm
nethserver-ipsec-1.0.0-2.0gitc841ec2b.ns6.noarch.rpm
nethserver-ipsec-1.0.0-3.0git16a8a53f.ns6.noarch.rpm

#6 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee set to Giacomo Sanchietti

#7 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90
dn: cn=l2tpusers,ou=Groups,dc=directory,dc=nh
cn: l2tpusers
gidNumber: 507
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
entryUUID: 0fa87e78-220b-1033-9f64-2b3ff0941e5f
creatorsName: cn=libuser,dc=directory,dc=nh
createTimestamp: 20140204171058Z
sambaSID: S-1-5-21-1081185447-3589350628-2846206084-1001
sambaGroupType: 2
displayName: l2tpusers
description: Unix Group l2tpusers
entryCSN: 20140204171059.104750Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140204171059Z

When user is not enabled to VPN:

Feb  4 17:47:24 server pppd[736]: Plugin winbind.so loaded.
Feb  4 17:47:24 server pppd[736]: WINBIND plugin initialized.
Feb  4 17:47:24 server pppd[736]: pppd 2.4.5 started by root, uid 0
Feb  4 17:47:24 server pppd[736]: Using interface ppp0
Feb  4 17:47:24 server pppd[736]: Connect: ppp0 <--> /dev/pts/2
Feb  4 17:47:24 server pppd[736]: Winbind has declined authentication for user!
Feb  4 17:47:24 server pppd[736]: Logon failure
Feb  4 17:47:24 server pppd[736]: Peer MYCOMPANY\\giacomo failed CHAP authentication
Feb  4 17:47:24 server pppd[736]: Connection terminated.
Feb  4 17:47:24 server pppd[736]: Exit.

If the user is enabled to VPN, the connection can be correctly established.

Marking as VERIFIED.

#8 Updated by Davide Principi over 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

Released in nethserver/6.5/base repository.

Also available in: Atom PDF