Routing mobile VPN users through IPSec tunnel
-
Setup looks like this:
+----------+ ------------> +---------------+ ---------------> +-----------+ | iPhone | IPSec Client | pfSense | IPSec Tunnel | ASA | +----------+ ------------> | | ---------------> | | +---------------+ +-----------+ |L| |L| |A| |A| |N| |N| |_| |_| \ / \ / +---------------+ +-----------+ | Office | | NOC | | Network | | Network | +---------------+ +-----------+
From my iPhone I can hit things on the office network but I cannot reach the NOC network. The pfSense and users on the office network can hit things on the NOC network no problem (my iPhone's connection is getting authenticated by an OpenLDAP server in the NOC so no connection problems.) I can't even ping the ASA's internal IP address. Anyone have any thoughts on what might be blocking the traffic?
-
Your mobile subnet is not allowed through your pfSense/ASA IPsec tunnel. What you have to do is add another Phase 2 subnet entry to your pfSense/ASA IPsec tunnel.
I have a similar setup at my work, and the only way for mobile clients to communicate onto the second site (i.e. ASA), is to add the subnet to the IPsec Phase 2 config (see attachment of my Phase 2 subnets).
You'll have to add the Phase 2 subnet on both the pfSense box, and the ASA end in order for communication to pass through from the mobile client.
As per my attachement; my subnet (172.25.15.0/25) is my mobile clients. If I remove this phase2 entry, my mobile clients would not be able to hit anything on the 10.2.30.0/24 subnet
![Phase2 Subnets.PNG_thumb](/public/imported_attachments/1/Phase2 Subnets.PNG_thumb)
![Phase2 Subnets.PNG](/public/imported_attachments/1/Phase2 Subnets.PNG) -
Your mobile subnet is not allowed through your pfSense/ASA IPsec tunnel. What you have to do is add another Phase 2 subnet entry to your pfSense/ASA IPsec tunnel.
I'm not the least bit qualified to be mucking with these ASAs. Got the initial setup working using Cisco's site-to-site VPN wizard in ASDM, and am not about to figure out how to add a second P2 entry!
Fortunately, I was able to allocate an adjacent subnet to mobile users, so just had to change the subnet mask of the existing P2 entries. That's working now, thanks for your assistance.