Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing mobile VPN users through IPSec tunnel

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 910 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      miken32
      last edited by

      Setup looks like this:

      
+----------+ ------------> +---------------+ ---------------> +-----------+
| iPhone   |  IPSec Client |    pfSense    |   IPSec Tunnel   |    ASA    |
+----------+ ------------> |               | ---------------> |           |
                           +---------------+                  +-----------+
                                  |L|                              |L|
                                  |A|                              |A|
                                  |N|                              |N|
                                  |_|                              |_|
                                  \ /                              \ /
                           +---------------+                  +-----------+
                           |    Office     |                  |    NOC    |
                           |    Network    |                  |  Network  |
                           +---------------+                  +-----------+

      From my iPhone I can hit things on the office network but I cannot reach the NOC network. The pfSense and users on the office network can hit things on the NOC network no problem (my iPhone's connection is getting authenticated by an OpenLDAP server in the NOC so no connection problems.) I can't even ping the ASA's internal IP address. Anyone have any thoughts on what might be blocking the traffic?

      1 Reply Last reply Reply Quote 0
      • D Offline
        dguy
        last edited by

        Your mobile subnet is not allowed through your pfSense/ASA IPsec tunnel. What you have to do is add another Phase 2 subnet entry to your pfSense/ASA IPsec tunnel.

        I have a similar setup at my work, and the only way for mobile clients to communicate onto the second site (i.e. ASA), is to add the subnet to the IPsec Phase 2 config (see attachment of my Phase 2 subnets).

        You'll have to add the Phase 2 subnet on both the pfSense box, and the ASA end in order for communication to pass through from the mobile client.

        As per my attachement; my subnet (172.25.15.0/25) is my mobile clients. If I remove this phase2 entry, my mobile clients would not be able to hit anything on the 10.2.30.0/24 subnet

        ![Phase2 Subnets.PNG_thumb](/public/imported_attachments/1/Phase2 Subnets.PNG_thumb)
        ![Phase2 Subnets.PNG](/public/imported_attachments/1/Phase2 Subnets.PNG)

        1 Reply Last reply Reply Quote 0
        • M Offline
          miken32
          last edited by

          @dguy:

          Your mobile subnet is not allowed through your pfSense/ASA IPsec tunnel. What you have to do is add another Phase 2 subnet entry to your pfSense/ASA IPsec tunnel.

          I'm not the least bit qualified to be mucking with these ASAs. Got the initial setup working using Cisco's site-to-site VPN wizard in ASDM, and am not about to figure out how to add a second P2 entry!

          Fortunately, I was able to allocate an adjacent subnet to mobile users, so just had to change the subnet mask of the existing P2 entries. That's working now, thanks for your assistance.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.