different ACLs for different road warrior configurations?
-
Hey folks,
My terminology might be a little muddled here. I'll try and explain what I want to do.We currently use OpenVPN and have two different server instances running for two different use cases. I want to move those to IPsec for performance reasons. My understanding is that IPsec can only have one mobile / road warrior instance.
- VPN on Demand - iOS devices use a profile and initiate an OVPN connection which only uses a cert and allows access to a select few hosts and ports
- user-based VPN - iOS and MacOS users can manually initiate a connection which uses both PKI and user-based auth. Once connected, they full network access
Can I achieve a similar configuration with IPsec?
Ideally, the always-on VPN (on demand is the official term from Apple, I think) requires cert-based auth. I'd like those clients to be considerably more limited.
I'd like user-based clients to get full LAN access.
I was trying to imagine some way to do it with P2 rules... but I can't think of a way for pfSense (swan?) to determine the difference between a cert-only and cert+user auth.