Multiple subnets/identifiers with Mobile IPSEC?



  • Hello,
    This documentation page:
    https://doc.pfsense.org/index.php/IPsec_with_Multiple_Subnets
    says:
    "The parallel tunnels technique also works with mobile tunnels. On the server side, you need to create a unique Identifier/Pre-Shared Key (PSK) combination for each subnet. Actually, the PSK can be the same for each Identifier, as long as the identifiers are unique. If you have three subnets, you could use site-a1@example.com, site-a2@example.com, and site-a3@example.com."

    However, the identifier/PSK are on the Phase 1 side of the tunnel, and I don't see any way to make multiple Phase 1 connections for Mobile IPSEC.

    Trying to accomplish two things here, A) Multiple tunnels through mobile IPSEC, B) Tunnels separated by limiting access to who gets which identifier/PSK

    I had tried to post this to the list but this (and the last post I tried to make) never showed up, hope this isn't considered cross-posting.


  • Banned

    Using 1.2.x docs for pfSense 2.x will do no good.



  • Unfortunately, the 2.0 section of that doesn't list anything about mobile, but says:
    If the equipment to which you are connecting does not support multiple Phase 2's, you may need to employ supernetting/CIDR summarization (See below) to fit the networks into a single Phase 2.

    The example given (in the 1.x section) for supernetting is using networks that are next to each other. Is this possible using completely different networks, ex: 172.16.0.0/28 and 192.168.0.0/24 ?


  • Rebel Alliance Developer Netgate

    None of that really applies to Mobile. There isn't a way in IPsec currently to restrict access for a given IP/PSK in the way you're after.

    If this is for site to site, use individual tunnels, not mobile.

    If it's for mobile clients, the Phase 2 entries are only really used if you check the box to supply a list of networks to the client, and then only if they obey that list. Mobile setups let the client specify what they want to send, the server can't really restrict that (except with firewall rules)


Log in to reply