Mobile IPsec to Site-to-Site VPN
-
Hi,
I have a setup where pfSense has loads (and I mean loads) of S2S VPNs to customer sites, and basically all of those remote sites have lots of VLANs with different IP ranges. These are all added a P2 entries.
We use Domain Overrides in DNS Forwarding so DNS lookups work perfectly - we have a Domain Override entry for every sites DNS server(s). Then on the Mobile Client setup we have the LAN IP of pfSense handed out as a DNS server. Although Domain Overrides work OK if from the LAN IP range, it doesn't work when on the Mobile Client IP range.
At the moment we remote in to a server (not full-RDS) on the LAN side of pfSense and can then break out to any device in any of the S2S. This is limited as the not full-RDS server can only manage 2 concurrent users. So I was looking at having Mobile IPsec for the clients to VPN in to pfSense, then we can all break out to where ever we need to go as if we were on the LAN IP range. This isn't working.
I've read that we need to create P2 entries on the Mobile Client P1 tunnel, and then on each remote site P2 as well. This isn't realistic due to the number we'd have to put in and maintain, and contact all the remote sites to get their end done.
Is there no "implicit" way of this just working? I.e. once the mobile VPN is established, they're seen as being on the pfSense LAN IP side so just "inherit" or route over all the existing P1/P2 connections, with no additional setup needed either end?
I hope that makes sense!
Thanks
-
@ldoodle said in Mobile IPsec to Site-to-Site VPN:
I have a setup where pfSense has loads (and I mean loads) of S2S VPNs to customer sites, and basically all of those remote sites have lots of VLANs with different IP ranges. These are all added a P2 entries.
Why don't you configure route based ipsec (vti tunnels) so you don't have the hassle with dozens of phase2 config mayhem because everything is handlet by the routing table.
Cheers
4920441
-
Thanks. Would this need involvement from both sides? We don't manage the remote sites config. in any way so would be tricky to work out.
Could I just have the IPsec Mobile Client VPN be routed and then once connected they can flow over the existing P1/P2 S2S VPNs?
Thanks again
-
To make it work you have to adapt both sides, but it is worth it.
If you have configured the clients route based, you only have to add another route to a Mobile client vpn to make it work - no hassle with tons of SAs from client networks.
Cheers
4920441
-
OK thanks again. The biggest site we have connected is undergoing a whole LAN refresh so I'll pick this up when that happens as it will need reconfiguring both sides anyway.
Could I workaround it for now with Outbound NAT for Mobile Client tunnel?
-
SNATting everything could help, but administer the firewall rules with sourcenatting... I would not like to go down this rabbit hole...
Sure, if the Network of the SA is also directly attached to an interface of the firewall, it should work.Cheers.
4920441