Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Support for multiple IPSec mobile client profiles?

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qiv
      last edited by

      I've looked through the bug list for 2.4 and didn't see mention of supporting multiple IPSec mobile client profiles.  Is this still planned?  It would be great if it could make 2.4.

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Last I tried it, it didn't work in strongSwan, but it's been a while and it's entirely possible the config I used wasn't ideal in some way.

        The main problem is how to distinguish them – They could not be identical or it would never try to use the second one. The way mobile tunnels are crafted that's not easily distinguishable.

        It's something we'd like to see, if it's possible, but it would be a lot of work to enforce proper config validation if it can even be done.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • Q
          qiv
          last edited by

          Thanks for the reply.

          Do you know what the specific issue was with distinguishing them?  Was it a port issue?

          Considering that multiple mobile profiles would have different virtual pools, maybe that could be a constraint and the pool parameters could be hashed to create a unique identifier for whatever was making it difficult to distinguish.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It was a matter of how to determine which profile is used for any given inbound connection.

            IPsec does not have distinct "ports" for each server like OpenVPN so it has to differentiate based on the information it can see before the connection is negotiated. So the P1 would have to differ enough that it could tell the two apart. For something like IKEv2 there isn't a good way to do that. Maybe it could use identifiers, but clients are very picky about identifiers. I'm not sure a different CA/Cert is enough either.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.