Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    different ACLs for different road warrior configurations?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 356 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      Hey folks,
      My terminology might be a little muddled here. I'll try and explain what I want to do.

      We currently use OpenVPN and have two different server instances running for two different use cases. I want to move those to IPsec for performance reasons. My understanding is that IPsec can only have one mobile / road warrior instance.

      1. VPN on Demand - iOS devices use a profile and initiate an OVPN connection which only uses a cert and allows access to a select few hosts and ports
      2. user-based VPN - iOS and MacOS users can manually initiate a connection which uses both PKI and user-based auth. Once connected, they full network access

      Can I achieve a similar configuration with IPsec?

      Ideally, the always-on VPN (on demand is the official term from Apple, I think) requires cert-based auth. I'd like those clients to be considerably more limited.

      I'd like user-based clients to get full LAN access.

      I was trying to imagine some way to do it with P2 rules... but I can't think of a way for pfSense (swan?) to determine the difference between a cert-only and cert+user auth.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.