Road Warriors with different ruleset
Lets say I have two mobile clients connecting to my pfSense from dynamic IP addresses, RW1 and RW2. They both have different identifier and PSK pairs. Also, they obviosly have different IP Adresses used by the mobile clients. Now if I want these Clients to only have restricted access to the systems they need, lets say RW1 is to have access to SERVER-A and RW2 to SERVER-B, I create the firewall rules to only allow the RW1 IP Adress to connect to SERVER-A and accordingly similar rules for RW2.
But if RW2 edits his mobile client connection to simply use RW1'1 IP Adresse, he can authentiticte with his know identifier / PSK pair, but gain access to SERVER-B.
Any solution for this?
Not easily with IPsec. With OpenVPN you can use CSC entries to force people onto specific IPs, and on pfSense 2.0 you can also force them to use username/password, and also check that the username matches the certificate name.