IPsec mobile VPN with multiple phase 2 entries

themixer

I would like to say I have used PFsense for years now and its fantastic, this is the first problem I have had with it that I have not been able to figure out or find any information on. I have been messing around with this for 2 weeks now and have gotten nowhere. I figure someone must have a setup similar to this.

I have a multi-site IPsec vpn setup with a main office and 2 remote offices.

all sites are running 2.0.1-RELEASE (i386)

Main office is 192.168.30.0/24 (static public IP)
remote office 1 is 192.168.58.0/24 (dynamic public IP)
remote office 2 is 192.168.1.0/24 (static public IP)

I currently have individual site to site VPN setup between all and its very stable and works great. I am using the Screw Soft VPN client (tried both stable and beta) to connect to the main office (192.168.30.0) network. This works again perfectly. The problem starts when trying to reach the remote offices over the tunnel. I have read that Pfsense 2.0 will allow for multiple phase 2 entries that will let you connect multiple subnets over a single IPsec tunnel. So in the Phase 2 entries of the Mobile Client connection I have added another tunnel to allow access to the 192.168.58.X network in addition to the 192.168.30.X network also. When connecting with the same VPN profile that worked before the Phase 2 entry I get the same "tunnel enabled" but I cannot pass any traffic once its says this. I cannot get even to the original 192.168.30.X network that was working. If I remove the extra phase 2 entry I can get back to the 192.168.30.X network without issue.

I have included screenshots of my config and log files for IPsec when connecting by mobile VPN. All that I have found about the error is that my subnet masks may be incorrect but they all seem to be set to a /24

Any information on this issue is greatly appreciated!

themixer

Must have been the only one trying to do this, this thread can be deleted. Problem has been solved.

Stugots

@themixer:

Must have been the only one trying to do this, this thread can be deleted. Problem has been solved.

How did you get this working, I'm having the same problem?

themixer

I used OPENvpn solution worked fantastic and client deployment was easy. IPsec tunnels for my site to site

jedblack

I think you may need to provide a Phase2 PFS group to the clients.

check the box "Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )"

and select "Group 2" from the drop down menu

See if that works for you…

Stugots

@jedblack:

I think you may need to provide a Phase2 PFS group to the clients.

check the box "Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )"

and select "Group 2" from the drop down menu

See if that works for you…

Thanks, I'll give that a try.