IPsec Mobile Clients

Reply to IPsec Mobile Clients on Wed, 27 Apr 2011 14:00:55 GMT

pfsenseuser3 — Wed, 27 Apr 2011 14:00:55 GMT

ok.. maybe that will work. but what is with my iOS devices? For them i have to use PSK + XAuth. And this isn´t possible with a second phase 1 :(

i forgot to say that i´m using the latest 2.0 RC1 build.

edit: ok, now i´m using only PSK´s +Xauth for the roadwarrior connections and it´s working like a charme with greenbow and iOS devices :)

Reply to IPsec Mobile Clients on Wed, 27 Apr 2011 00:08:38 GMT

jimp — Wed, 27 Apr 2011 00:08:38 GMT

I believe when you set the certificate on the mobile IPsec p1 that is the server side certificate, not the client's certificate. I thought they just had to be from the same CA (the way OpenVPN works) and not match exactly. I may be incorrect, as I said I haven't used IPsec+certs before myself.

Reply to IPsec Mobile Clients on Tue, 26 Apr 2011 23:42:16 GMT

pfsenseuser3 — Tue, 26 Apr 2011 23:42:16 GMT

each person should have a different certificate from the same CA.

you can do cert auth fine with multiple users so long as the certs are from the same CA

at the moment I have no pfsense box here (I am at home, here in austria it´s 1:40 am ;) ) but if I remember correctly, I have to set the certificate in phase 1. As I can only create one phase 1 for mobile clients I can´t select different certificates.

I use OpenVPN for all my mobile clients as it's much more flexible and less prone to errors and NAT issues on random remote networks.

The problem is, we are using the Greenbow VPN Client (IPSEC Client).. With the Ipcop it was no problem to create more than one roadwarrior connection, so we used that. Next step would be to integrate our iOS devices (iphones) and without jailbreak it is not possible to use OPENVPN on them.

Reply to IPsec Mobile Clients on Tue, 26 Apr 2011 23:03:02 GMT

jimp — Tue, 26 Apr 2011 23:03:02 GMT

Each person should have a different certificate, or a different CA? As far as I remember, you can do cert auth fine with multiple users so long as the certs are from the same CA. I haven't done certs with IPsec though. I use OpenVPN for all my mobile clients as it's much more flexible and less prone to errors and NAT issues on random remote networks.

Reply to IPsec Mobile Clients on Tue, 26 Apr 2011 22:56:23 GMT

pfsenseuser3 — Tue, 26 Apr 2011 22:56:23 GMT

hmmm and there is no solution for that? We have more than 5 mobile users and everyone should have his one certificate.. this is only possible with different phase 1.
i´m currently in the test phase with pfsense and if it is not possible to add more than 1 mobile device i have to test another software.. at the moment i´m using ipcop.. but i think it´s outdated so i wanted to switch to another, more up to date software… now i´m thinking pfsense was the wrong way :(

Reply to IPsec Mobile Clients on Tue, 26 Apr 2011 14:42:44 GMT

jimp — Tue, 26 Apr 2011 14:42:44 GMT

If I remember right, the underlying software (racoon) can't have multiple definitions for the type of phase 1 required for mobile access. It's not just a limitation of the GUI.

Reply to IPsec Mobile Clients on Tue, 26 Apr 2011 14:08:32 GMT

pfsenseuser3 — Tue, 26 Apr 2011 14:08:32 GMT

now i tried something tricky..

https://192.168.1.1/vpn_ipsec_phase1.php?mobile=true

with this link i tried to add a second phase 1 for another mobil client.. but as sone as i save the second phase 1 i also can´t connect with my first mobile device (vpn server timeout). When i delete the second phase 1 everything is working fine again.

This seems like a big bug..

Reply to IPsec Mobile Clients on Tue, 26 Apr 2011 08:57:01 GMT

pfsenseuser3 — Tue, 26 Apr 2011 08:57:01 GMT

i think we have the same problem. i´m also unable to create a second phase1 for a mobile client. i think it´s a bug.