Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec IKEv2 EAP-TLS with multiple mobile connections

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 854 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daystrom_matthew
      last edited by

      Hi

      I am testing deploying IPSec IKEv2 EAP-TLS for my mobile clients. I followed the Netgate docs https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-tls.html.

      I can establish connections from a mobile client to pfSense and everything (split tunnel, DNS, access to selected internal networks, etc.) works as expected. However if the same user on an additional device attempts to create a second connection the first VPN tunnel closes. This is frustrating because users often want to simultaneously connect on say a tablet and laptop, or laptop and phone, etc.

      At first I thought this was related to this forum post: https://forum.netgate.com/topic/164171/mobile-ipsec-multiple-mobile-clients-with-the-same-public-ip.
      However the problem is still there when I tested this with two devices coming from different global IPv4 addresses (each was connecting using different carriers with their own address ranges).

      I did have a trawl through the logs but nothing particularly stood out. Having said that there are 4 site-to-site IKEv2 instances on the same pfSense box so I might have missed something in the noise.

      Any suggestions would be appreciated.
      Matt

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Normally you don't want to allow multiple connections from the same remote certificate. But if that is something you must do, then you should be able to work around that by going to VPN > IPsec on the Advanced Settings tab and on there, set Configure Unique IDs as to Never.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        D 1 Reply Last reply Reply Quote 0
        • D
          daystrom_matthew @jimp
          last edited by

          @jimp Hi, thanks for that! That 'fixed' it.

          Ok, so I'm guessing this is a silly question, but why do you limit the number of instances a single certificate can connect? Is it to make the compromise of a certificate more noticeable (since sessions will be dropping)? Or is it a management issue, that if you need to revoke a certificate you don't need to reissue certificates to every single device? Or something else entirely?

          Would you recommend issuing certificates to devices rather than users then?

          Cheers
          Matt

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It's a good security policy / best practice to not reuse certificates or credentials where possible.

            Main benefits are the extra fine-grained control but also the management issue you mentioned. If someone uses the same certificate on their laptop, phone, and tablet and they lose their tablet, then they must load a new certificate on every device.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            D 1 Reply Last reply Reply Quote 0
            • D
              daystrom_matthew @jimp
              last edited by

              @jimp Thanks again!

              I'll have a look into a way of automatically deploying the certificates per user, per device then. I have a CA external to pfSense I can leverage for that.

              This will let me get the core users we need going in the meantime.

              Have a great day
              Matt :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.