Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple IPsec servers?

    IPsec
    2
    7
    926
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Rebel Alliance
      last edited by

      We have a setup in our data center where an IPsec VPN exists for one purpose/network. We have a request for a separate VPN to access a second network, which will be a separate subnet. If we configured that second network as an alias on LAN, is it possible to have two IPsec connections where the person/site connecting in has access to one network or the other but not both? I am having trouble finding that scenario online.

      In other words, if Person1 logs in they get network1, and if Person2 logs in they get network2.

      To add another layer, they would also like a site to site connection as well as PC to site.

      Thanks,

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote ๐Ÿ‘ helpful posts!

      NogBadTheBadN S 2 Replies Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @SteveITS
        last edited by NogBadTheBad

        @steveits Maybe look at FreeRadius auth with framed-ip and firewall rules to allow / block access to specific subnets.

        Screenshot 2022-11-23 at 20.00.32.png

        Screenshot 2022-11-23 at 20.01.17.png

        Also you can do a site to site connection.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance
          last edited by

          @nogbadthebad OK I think I wrapped my head around that, though each person connecting would have to have a specific IP. So I'm correct that it isn't built in, but would depend on FreeRADIUS assigning the IP. Thanks.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @SteveITS
            last edited by

            https://forum.netgate.com/topic/115795/guide-ikev2-ipsec-per-user-firewall-rule-settings-with-freeradius

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @NogBadTheBad
              last edited by

              @nogbadthebad Ah, thanks. That uses static routes, I'm guessing because the IPs assigned aren't in the IPsec config? Same idea but doing it by network rather than individual IPs.

              I had also found a video about how to set up FreeRADIUS and OpenVPN with rules.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @SteveITS
                last edited by SteveITS

                @steveits said in Multiple IPsec servers?:

                if Person1 logs in they get network1, and if Person2 logs in they get network2

                I got this set up with freeRADIUS. The IP is assigned to the remote PC, and "Virtual Address Pool" is unchecked.

                I set up a second phase 2, just like the first but with a different local subnet. Notably that local subnet does not yet exist on the router. It doesn't show on the remote PC (via "route print", Windows)...is that because it isn't handed out if it doesn't exist on the router? I can add it but will need to do so after hours.

                To be complete, it seems to me each client (of which there is 1 right now, driving this) would need their own subnet. Then we can create rules to block access to other client subnets.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote ๐Ÿ‘ helpful posts!

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Rebel Alliance @SteveITS
                  last edited by

                  I had to let it percolate a bit to remember that way back when this was set up the PowerShell script adds a route for the subnet:

                  Add-VpnConnectionRoute -ConnectionName "name" -DestinationPrefix 10.2.2.0/24

                  IPsec tab FW blocks from source IP to each subnet work great.

                  Thanks,

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 1
                  • S SteveITS referenced this topic on
                  • S SteveITS referenced this topic on
                  • keyserK keyser referenced this topic on
                  • keyserK keyser referenced this topic on
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.