I have to admit, when I saw your post I thought that having a different number of Phase 2's on both sides would never work!

However, it worked perfectly! I can now reach the other side from both my LAN subnet and my OpenVPN subnet.
I cannot thank you enough, it was stupid of me trying to crack this one up for so long (weeks literally) when it was so fast to get awesome help here.

Hope you have a perfect weekend. Thank you so much for giving me your time and even by trying the setup on your LAB.

Regards,
John

No. You need to use a site-to-site to route tunnel networks like you are trying to do. Mobile IPsec assigns one and only one address to a connecting client. It doesn't "route" subnets like a site-to-site tunnel.

You need to work around dynamic IP addresses with something like dynamic DNS for each endpoint.

Nothing you come up with there will be perfect. Especially if the addresses simply change abruptly.

Set each side to update a Dynamic DNS entry pointing to their actual, routable, outside WAN address.

Tell each side to connect to the FQDN of the DynDNS entry on the other side.

Set each side to use their own FQDN as the IKE identifier locally, and the other side's FQDN as the remote identifier.

Depends on the hardware. At least dozens. Possibly hundreds. There is no set limit but there are practical limits that vary by installation (like hardware and webgui performance for managing them all.)

Solved it by adding a P2 for the LAN and blocking all traffic except 1812/tcp from the AP.

No. The tunnel interface addresses are specified in the Phase 2 configuration.

@roveer said in Mobile IPSec working but was expecting _route all_ and that's not happening:

So you actually took the time to reply to my post and to say. You are stupid and you don't read. That's how it came off. Not very helpful. Not all of us are perfect.

You need to be aware of your failures so you can avoid them in the future.

Thank you, for your feedback!
I will give it a try.

Sebastian

Thanks Konstanti. I reload Outband and start to working.

Thanks a lot!

@sgw
You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))

Nowhere close to enough information to help.

Detail the various parties by IP address/network.

You might have to diagram it.

If you can ping the far side pfSense interface address but not the hosts behind it it is almost always a firewall on the target host itself (think windows firewall).

That or their default gateway is not the pfSense firewall. Since traffic works the other way that pretty much rules that out.

Thanks

As far as I can tell the WebConfigurator CA is added to me device.
Not sure why this works on the LAN and Wifi, but not VPN.

I'd appreciate any help with this. Thanks

Thanks!,
I've found a similar solution that doesn't require partner side intervention.

I've added customer network in OpenVpn :
Tunnel Network
10.0.2.0/24
Local Network:
10.0.1.0/24, 172.25.0.0/16.

Then I've added Phase 2 with NAT:
Local Network 10.0.2.0/24
NAT: 10.0.1.0/24
Remote Network: 172.25.0.0/16

It works!

OK matched the Encryption Algorithm and Hash algorithm and PFS key group again on both pfsesne and cisco and added Lan ip of Cisco to advanced config on pfsese to ping.

and it all now works, can ping from the firewall on both sides to local internal pcs.

but now need to figure out routing from local subnet of site A to local subnet of site B and vice versa

I can't track the other side, that is the Vendor. I don't have control or access to that.

I can track the connection the company location that fails, but it is up at the moment. No problems right now.

I've tried restarting the tunnels but still get zero packets through. Is this a routing issue or something else?