Multiple IPsec Mobile Phase 1 (for multiple WAN interfaces)

bulgarion · Dec 25, 2012, 5:36 PM

Hi everybody, and merry Christmas.
Going straight to business - I have a pfSense load-balancing two ethernet connections, one on the WAN1 interface and the other on the WAN2 interface. Recently I enabled a mobile IPsec tunnel for an iPad, but I can't seem to find the option to add multiple "Mobile Clients" Phase 1 to assign to the multiple interfaces of the firewall (so that I could - with two mobile IPsec configurations - keep connecting to the firewall even if one of the two internet connection goes down).
Any hint?
Thanks,

Marco

jimp · Dec 26, 2012, 2:02 PM

There isn't a way to make multiple mobile Phase 1's. There can only be a single Mobile instance.

You could try, if you force NAT-T, to bind it to the LAN and use port forwards for udp/4500, udp/500, and ESP on each WAN to the LAN IP.

I say force NAT-T because I don't know how well, if at all, IPsec would like that NAT for normal mode.

bulgarion · Dec 27, 2012, 3:09 PM

Thanks for the tip - I also force NAT-T (due to the fact that I'm using external routers that both do static NAT to the pfSense, and the external clients are iPhones/iPads), so I'll give it a shot someday.

Is there any particular reason behind the choice to have a single Mobile Phase 1? Not arguing, just curious. Maybe I could file a feature request for multiple Mobile Phases, or just an option for listening over multiple interfaces.

jimp · Dec 27, 2012, 3:13 PM

I believe that's all that the underlying software supports in a way we can actually use.

It needs specific IPs for site-to-site's and then it can have one "anonymous" (mobile) that isn't tied to a fixed IP. It can't really have multiple catchalls in that way.

dhatz · Dec 27, 2012, 3:27 PM

JimP, what about the discussion in http://redmine.pfsense.org/issues/1965 where you wrote:

In the future it would be nice to have IPsec allow connections to/from multiple peers for the same tunnel, for failover.

racoon can handle multiple phase 1's in this way, there would just need to be some means in the GUI to allow the input of additional peers.

jimp · Dec 27, 2012, 3:47 PM

Completely different animal.

I had thought it would be simpler but it requires a bit of heavy lifting to make that work. That's why we chose to do the gateway group method instead of that sort of failover.

Would still be nice to figure out eventually, but a bit beyond my understanding of racoon's config and how we'd have to set it all up. (Plus the other end would have to support it, too)