Multiple Roadwarriors Phase 1
-
Is it possible?
I need for example 2 inbound vpn connections, one for Apple Devices which use IKEv2 EAP-TLS and one for Windows devices which are using IKEv1 Mutual RSA (via Shrewsoft VPN)
But I can only create one Phase 1 mobile client Connection, when I create a second Phase 1 I Must fill in a Remote Gateway but there isn't one with roadwarrior.How can I accomplish it?
Best Regards,
Donald. -
I've yet to figure out why people insist on working themselves to death when openvpn will do it crazy easy?
-
OpenVPN isn't a standard, I don't want or can't install additional VPN Software on the devices, and it isn't always possible to install it due to company policies or restrictions.
I want to use the default modern vpn clients which are already built in a lot of operating systems. -
I understand, but you are on the opposite of whatever a bleeding edge is. Also, openvpn traverses all kinds of NAT where IPsec just fails.
These are actual roadwarriors? I'd only use ipsec between 2 very simple networks with perfect conditions.
But if your hands are tied, I guess there is nothing you can do.
-
Yes, they are roadwarriors, laptops in the field connected to 4G LTE Networks, and mobile devices like android and iphones.
I had it several years ago working without pfsense, and created manually a ipsec.conf file with lot of different configurations using Strongswan.
So it is possible, why isn't it implemented in pfSense?My config that time was:
root@fileserver:/usr/local/etc # cat ipsec.conf config setup cachecrls=yes strictcrlpolicy=no uniqueids=never conn %default left=donald.flissinger.com leftfirewall=no leftdns=127.0.0.1 rightdns=10.0.0.1 # compatible with iOS 8.0.1/8.1.0 conn ikev1_cert keyexchange=ikev1 fragmentation=yes leftid=donald.flissinger.com leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=donaldflissinger.pem right=%any rightauth=pubkey rightauth2=xauth rightsourceip=10.0.1.2/27 rightcert=clientdonald.crt auto=add # also supports iOS PSK and Shrew on Windows conn xauth_psk keyexchange=ikev1 leftauth=psk leftsubnet=0.0.0.0/0 right=%any rightauth=psk rightauth2=xauth rightsourceip=10.0.1.2/27 auto=add # compatible with "strongSwan VPN Client" for Android 4.0+ # and Windows 7/8 cert mode. conn ikev2_cert keyexchange=ikev2 leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=donaldflissinger.pem right=%any rightauth=pubkey rightsourceip=10.0.1.2/27 rightcert=clientdonald.pem auto=add conn windows8 keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftcert=vpn-Cert.pem leftsubnet=0.0.0.0/0 right=%any rightcert=win8client-Cert.pem rightsourceip=10.0.1.2/27 auto=add conn ikev2_mschapv2 keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no leftauth=pubkey leftsubnet=0.0.0.0/0 leftcert=donaldflissinger.pem right=%any rightauth=eap-mschapv2 rightsourceip=10.0.1.2/27 rightsendcert=never eap_identity=%any auto=add conn mainserver aggressive=yes authby=secret leftid=@donald.flissinger.com leftsubnet=10.0.0.0/24 right=proxy.flissinger.com rightid=@proxy.flissinger.com rightsubnet=10.0.1.0/24 auto=start root@fileserver:/usr/local/etc # -
IPsec works for pfsense. But for all listed devices, openvpn is easier. I dropped ipsec for myself because its just too easily broken depending on the network.
However, there are many IPsec gurus on the forum. I'm sure 1 will help you.
-
I've found IPSec with pfSense works a lot better since IKE v2 got implemented/strongswan got used.
However, multiple roadwarrior phase 1s are not supported yet. :(
Things like this showup as requests:
https://redmine.pfsense.org/issues/8036 -
I ended up manually editing /cf/conf/config.xml to achieve what I want, just copied the relative code and changed the ikeid in phase 1 and 2 and uniqid in phase 2 , after that I was able to use the pfsense GUI again.
I now can connect from android, windows, and apple devices using different authentication methods.