IPSec IKEv2 EAP-TLS with multiple mobile connections
-
Hi
I am testing deploying IPSec IKEv2 EAP-TLS for my mobile clients. I followed the Netgate docs https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-tls.html.
I can establish connections from a mobile client to pfSense and everything (split tunnel, DNS, access to selected internal networks, etc.) works as expected. However if the same user on an additional device attempts to create a second connection the first VPN tunnel closes. This is frustrating because users often want to simultaneously connect on say a tablet and laptop, or laptop and phone, etc.
At first I thought this was related to this forum post: https://forum.netgate.com/topic/164171/mobile-ipsec-multiple-mobile-clients-with-the-same-public-ip.
However the problem is still there when I tested this with two devices coming from different global IPv4 addresses (each was connecting using different carriers with their own address ranges).I did have a trawl through the logs but nothing particularly stood out. Having said that there are 4 site-to-site IKEv2 instances on the same pfSense box so I might have missed something in the noise.
Any suggestions would be appreciated.
Matt -
Normally you don't want to allow multiple connections from the same remote certificate. But if that is something you must do, then you should be able to work around that by going to VPN > IPsec on the Advanced Settings tab and on there, set Configure Unique IDs as to Never.
-
@jimp Hi, thanks for that! That 'fixed' it.
Ok, so I'm guessing this is a silly question, but why do you limit the number of instances a single certificate can connect? Is it to make the compromise of a certificate more noticeable (since sessions will be dropping)? Or is it a management issue, that if you need to revoke a certificate you don't need to reissue certificates to every single device? Or something else entirely?
Would you recommend issuing certificates to devices rather than users then?
Cheers
Matt -
It's a good security policy / best practice to not reuse certificates or credentials where possible.
Main benefits are the extra fine-grained control but also the management issue you mentioned. If someone uses the same certificate on their laptop, phone, and tablet and they lose their tablet, then they must load a new certificate on every device.
-
@jimp Thanks again!
I'll have a look into a way of automatically deploying the certificates per user, per device then. I have a CA external to pfSense I can leverage for that.
This will let me get the core users we need going in the meantime.
Have a great day
Matt :)
