IPsec Mobile Clients



  • We've installed pfSense 2.0 RC1 in a test environment.  Working great so far!  We are thinking of replacing a Cisco ASA 5510, but have 1 small issue.  On the Cisco, we have multiple dial up client tunnels, each with a different group and PSK.  Based on the group and PSK, we assign users an address on a particular subnet, which allows us to control access to certain networks.  I was able to successfully configure 1 tunnel on pfSense and give access to multiple subnets, but I haven't found a way to create a second one that would use a different group, PSK and assign an address from a different subnet.  Is this possible on pfSense?  If not, I was hoping for some recommendations on what others are doing for similar situations.

    Thanks. -JP



  • i think we have the same problem. i´m also unable to create a second phase1 for a mobile client. i think it´s a bug.



  • now i tried something tricky..

    https://192.168.1.1/vpn_ipsec_phase1.php?mobile=true

    with this link i tried to add a second phase 1 for another mobil client.. but as sone as i save the second phase 1 i also can´t connect with my first mobile device (vpn server timeout). When i delete the second phase 1 everything is working fine again.

    This seems like a big bug..


  • Rebel Alliance Developer Netgate

    If I remember right, the underlying software (racoon) can't have multiple definitions for the type of phase 1 required for mobile access. It's not just a limitation of the GUI.



  • hmmm and there is no solution for that? We have more than 5 mobile users and everyone should have his one certificate.. this is only possible with different phase 1.
    i´m currently in the test phase with pfsense and if it is not possible to add more than 1 mobile device i have to test another software.. at the moment i´m using ipcop.. but i think it´s outdated so i wanted to switch to another, more up to date software… now i´m thinking pfsense was the wrong way  :(


  • Rebel Alliance Developer Netgate

    Each person should have a different certificate, or a different CA? As far as I remember, you can do cert auth fine with multiple users so long as the certs are from the same CA. I haven't done certs with IPsec though. I use OpenVPN for all my mobile clients as it's much more flexible and less prone to errors and NAT issues on random remote networks.



  • each person should have a different certificate from the same CA.

    you can do cert auth fine with multiple users so long as the certs are from the same CA

    at the moment I have no pfsense box here (I am at home, here in austria it´s 1:40 am ;) ) but if I remember correctly, I have to set the certificate in phase 1. As I can only create one phase 1 for mobile clients I can´t select different certificates.

    I use OpenVPN for all my mobile clients as it's much more flexible and less prone to errors and NAT issues on random remote networks.

    The problem is, we are using the Greenbow VPN Client (IPSEC Client).. With the Ipcop it was no problem to create more than one roadwarrior connection, so we used that. Next step would be to integrate our iOS devices (iphones) and without jailbreak it is not possible to use OPENVPN on them.


  • Rebel Alliance Developer Netgate

    I believe when you set the certificate on the mobile IPsec p1 that is the server side certificate, not the client's certificate. I thought they just had to be from the same CA (the way OpenVPN works) and not match exactly. I may be incorrect, as I said I haven't used IPsec+certs before myself.



  • ok.. maybe that will work. but what is with my iOS devices? For them i have to use PSK + XAuth. And this isn´t possible with a second phase 1  :(

    i forgot to say that i´m using the latest 2.0 RC1 build.

    edit: ok, now i´m using only PSK´s +Xauth for the roadwarrior connections and it´s working like a charme with greenbow and iOS devices :)


Locked