IPsec VPNs for S2S and mobile clients



  • I'm attempting to create 2 IPsec VPN configurations, one for site-to-site and another for mobile clients.  I'd like to use different IP addresses for each (I have a /29 block of public IPs assigned to me) and hand out hostnames that make sense (sitename.company.com and vpn.company.com, for example).  I thought that I should assign these IP addresses to separate interfaces, but I have not been successful in getting this to work.  It seems from the examples I've found that the preferred way to handle multiple public IP addresses is to use the Virtual IPs feature and just use the WAN interface for both.

    Is it possible to have my OPT1 interface handle the VPN for my mobile clients while having the site-to-site VPN on my WAN interface?  Or is this creating more trouble than it is worth?

    Thank you for any advice.


  • LAYER 8 Netgate

    Use a Virtual IP. You can't configure two interfaces on the same subnet.



  • @Derelict:

    Use a Virtual IP. You can't configure two interfaces on the same subnet.

    Oh, dear - is that the issue here?  I was attempting to assign each interface with a single IP (/32) … does that make a difference or is the proper way to enter the /29 network for the WAN interface and use the Virtual IPs for each?  Sounds like it?

    Thanks!


  • LAYER 8 Netgate

    Yes. One interface with two addresses.



  • @Derelict:

    Yes. One interface with two addresses.

    Thanks for the assistance!

    I now have my WAN configured properly with /29, my two IP aliases configured and I can reach the WAN interface from outside.  Here is my next question:  How do I listen for VPN connections on a specific IP alias?  In the IPsec configuration I am only given a choice of the WAN interface in the Phase 1 section - I don't see a place to indicate an alias (or where I expect the incoming connection to arrive).  How can I accomplish this?  I'd like the site-to-site VPN on one IP and the Mobile VPN on the other.

    Thank you!


  • LAYER 8 Netgate

    My WAN VIP (172.25.228.6) is listed as a choice there…

    ![Screen Shot 2018-01-18 at 11.43.41 AM.png](/public/imported_attachments/1/Screen Shot 2018-01-18 at 11.43.41 AM.png)
    ![Screen Shot 2018-01-18 at 11.43.41 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-01-18 at 11.43.41 AM.png_thumb)



  • @Derelict:

    My WAN VIP (172.25.228.6) is listed as a choice there…

    Ah, OK - I added my IPs as firewall aliases and not as virtual IP addresses.  Now they show up - thank you!

    When I enter my IPs in the virtual IP address section, should I be using the netmask for my IP block (/29) or should I be using a single IP address mask (/32)?

    Thank you.


  • LAYER 8 Netgate

    If you use IP Alias type (probably what you want) you should use the interface subnet.

    If you use CARP type (not sure why you would) you should use the interface subnet.

    You cannot use Proxy ARP or Other because you cannot bind services on the firewall (like IPsec) to them.


Log in to reply