IPsec Mobile VPN - Allow client to access LAN without "Send all trafic" / Remote gateway disabled



  • Hello,

    Can be configured IPsec IKEv2 Mobile VPN to allow clients to access local lan resources (via IP address) while "send all traffic" (macOS/iOs) or "use remote gateway" (Windows) is disabled and manual route can not be added to client devices?

    background:
    i need to replace current L2TP/IPsec VPN server which is located behind customer pfsense firewalll so i was thinking to configure VPN server on pfsense itself. VPN connection is used for access local lan resources (SMB/Codemeter licensing server) for mobile clients. Due customer demands to use os native vpn clients (Win7,10, macOS and iOS) cant be used OpenVPN, so only other option is IPSEC/Ikev2 (mobile).

    But there are additional conditions witch makes basic IPSEC Mobile setup (different virtual IP subnet than local lan subnet) probably unusable:

    1. access to internet is NOT allowed via VPN (for prevent sending traffic to internet via company public IP) = on client side can not be used "send all traffic / use remote gateway" option to ensure that traffic to lan IPs will be send over vpn.

    2. we are not able to push/set manual route on each client where VPN will be configured.

    3. mobile clients (laptops, iPhones/iPads) are used also inside LAN network so we probably cant use NAT 1:1, because on devices is configured access to local resources via LAN IPs (e.g. smb access to 192.168.20.2 and 192.168.20.3 to licensing server) to ensure that these services are accessible when device is connected in local LAN network.

    Current L2TP VPN server working fine as its allocates to VPN clients addresses from local LAN subnet, but as i understand for IPsec it cant be used as its require Virtual IP subnet completely different from local LAN.. Or is there some way how to do it?

    thanks for any hints,

    Michal D.