Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec VPNs for S2S and mobile clients

    IPsec
    2
    8
    751
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TMA-3 last edited by

      I'm attempting to create 2 IPsec VPN configurations, one for site-to-site and another for mobile clients.  I'd like to use different IP addresses for each (I have a /29 block of public IPs assigned to me) and hand out hostnames that make sense (sitename.company.com and vpn.company.com, for example).  I thought that I should assign these IP addresses to separate interfaces, but I have not been successful in getting this to work.  It seems from the examples I've found that the preferred way to handle multiple public IP addresses is to use the Virtual IPs feature and just use the WAN interface for both.

      Is it possible to have my OPT1 interface handle the VPN for my mobile clients while having the site-to-site VPN on my WAN interface?  Or is this creating more trouble than it is worth?

      Thank you for any advice.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Use a Virtual IP. You can't configure two interfaces on the same subnet.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          TMA-3 last edited by

          @Derelict:

          Use a Virtual IP. You can't configure two interfaces on the same subnet.

          Oh, dear - is that the issue here?  I was attempting to assign each interface with a single IP (/32) … does that make a difference or is the proper way to enter the /29 network for the WAN interface and use the Virtual IPs for each?  Sounds like it?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Yes. One interface with two addresses.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              TMA-3 last edited by

              @Derelict:

              Yes. One interface with two addresses.

              Thanks for the assistance!

              I now have my WAN configured properly with /29, my two IP aliases configured and I can reach the WAN interface from outside.  Here is my next question:  How do I listen for VPN connections on a specific IP alias?  In the IPsec configuration I am only given a choice of the WAN interface in the Phase 1 section - I don't see a place to indicate an alias (or where I expect the incoming connection to arrive).  How can I accomplish this?  I'd like the site-to-site VPN on one IP and the Mobile VPN on the other.

              Thank you!

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                My WAN VIP (172.25.228.6) is listed as a choice there…

                ![Screen Shot 2018-01-18 at 11.43.41 AM.png](/public/imported_attachments/1/Screen Shot 2018-01-18 at 11.43.41 AM.png)
                ![Screen Shot 2018-01-18 at 11.43.41 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-01-18 at 11.43.41 AM.png_thumb)

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  TMA-3 last edited by

                  @Derelict:

                  My WAN VIP (172.25.228.6) is listed as a choice there…

                  Ah, OK - I added my IPs as firewall aliases and not as virtual IP addresses.  Now they show up - thank you!

                  When I enter my IPs in the virtual IP address section, should I be using the netmask for my IP block (/29) or should I be using a single IP address mask (/32)?

                  Thank you.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    If you use IP Alias type (probably what you want) you should use the interface subnet.

                    If you use CARP type (not sure why you would) you should use the interface subnet.

                    You cannot use Proxy ARP or Other because you cannot bind services on the firewall (like IPsec) to them.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post