Support for multiple IPSec mobile client profiles?
-
I've looked through the bug list for 2.4 and didn't see mention of supporting multiple IPSec mobile client profiles. Is this still planned? It would be great if it could make 2.4.
Thanks
-
Last I tried it, it didn't work in strongSwan, but it's been a while and it's entirely possible the config I used wasn't ideal in some way.
The main problem is how to distinguish them – They could not be identical or it would never try to use the second one. The way mobile tunnels are crafted that's not easily distinguishable.
It's something we'd like to see, if it's possible, but it would be a lot of work to enforce proper config validation if it can even be done.
-
Thanks for the reply.
Do you know what the specific issue was with distinguishing them? Was it a port issue?
Considering that multiple mobile profiles would have different virtual pools, maybe that could be a constraint and the pool parameters could be hashed to create a unique identifier for whatever was making it difficult to distinguish.
-
It was a matter of how to determine which profile is used for any given inbound connection.
IPsec does not have distinct "ports" for each server like OpenVPN so it has to differentiate based on the information it can see before the connection is negotiated. So the P1 would have to differ enough that it could tell the two apart. For something like IKEv2 there isn't a good way to do that. Maybe it could use identifiers, but clients are very picky about identifiers. I'm not sure a different CA/Cert is enough either.
