Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple subnets/identifiers with Mobile IPSEC?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aworstell
      last edited by

      Hello,
      This documentation page:
      https://doc.pfsense.org/index.php/IPsec_with_Multiple_Subnets
      says:
      "The parallel tunnels technique also works with mobile tunnels. On the server side, you need to create a unique Identifier/Pre-Shared Key (PSK) combination for each subnet. Actually, the PSK can be the same for each Identifier, as long as the identifiers are unique. If you have three subnets, you could use site-a1@example.com, site-a2@example.com, and site-a3@example.com."

      However, the identifier/PSK are on the Phase 1 side of the tunnel, and I don't see any way to make multiple Phase 1 connections for Mobile IPSEC.

      Trying to accomplish two things here, A) Multiple tunnels through mobile IPSEC, B) Tunnels separated by limiting access to who gets which identifier/PSK

      I had tried to post this to the list but this (and the last post I tried to make) never showed up, hope this isn't considered cross-posting.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Using 1.2.x docs for pfSense 2.x will do no good.

        1 Reply Last reply Reply Quote 0
        • A
          aworstell
          last edited by

          Unfortunately, the 2.0 section of that doesn't list anything about mobile, but says:
          If the equipment to which you are connecting does not support multiple Phase 2's, you may need to employ supernetting/CIDR summarization (See below) to fit the networks into a single Phase 2.

          The example given (in the 1.x section) for supernetting is using networks that are next to each other. Is this possible using completely different networks, ex: 172.16.0.0/28 and 192.168.0.0/24 ?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            None of that really applies to Mobile. There isn't a way in IPsec currently to restrict access for a given IP/PSK in the way you're after.

            If this is for site to site, use individual tunnels, not mobile.

            If it's for mobile clients, the Phase 2 entries are only really used if you check the box to supply a list of networks to the client, and then only if they obey that list. Mobile setups let the client specify what they want to send, the server can't really restrict that (except with firewall rules)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.