Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPSec clients connecting to remote networks of another IPSec connection

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      enrico.m.crisostomo
      last edited by

      Hi all,

      I'm experimenting with pfSense in a lab because I'm seriously thinking about substituting old firewalls we have and make some restructuring and so far I'm very pleased with the quality of this project. Kudos to you all.

      The scenario I'm trying to implement is the following. My pfSense firewall (v. 2.1.4) has got LAN on 192.168.96.0/19 and is connected to remote network 10.0.0.0/24 using an IPSec tunnel:

      
LAN (192.168.96.0/19) <--> pfSense <-- IPSec Tunnel --> Remote Network (10.0.0.0/24)

      Mobile IPSec clients (I'm testing with OS X) connect to the LAN and are assigned IP addresses on virtual network 192.168.32.0/19:

      
Mobile clients (192.168.32.0/19) <-- Mobile IPSec tunnel --> pfSense <--> LAN (192.168.96.0/19)

VPN: IPsec: Edit Phase 2: Mobile Client
Local Network	
Type: LAN Subnet

      Mobile IPSec is configured to send the list of available networks.

      So far, so good. I didn't have to add any firewall rule and it all works on a vanilla pfSense installation out of the box.

      Now the question: Is it possible to configure the tunnels and/or the routes in such a way that mobile clients can connect to remote network 10.0.0.0/24 routing their traffic through the other site to site IPSec tunnel?

      
Mobile clients (192.168.32.0/19) <-- Mobile IPSec tunnel --> pfSense <--> LAN (192.168.96.0/19)
                                                                     <-- IPSec Tunnel --> Remote Network (10.0.0.0/24)

      I've thought about:

      • Adding static routes from 192.168.32.0/19 but then I don't know which gateway I can use (no IPSec gateway are listed on routes).

      • Adding 10.0.0.0/24 to the phase2 configuration of the mobile IPSec tunnel.

      • Adding the virtual network 192.168.32.0/19 assigned to the mobile clients to the list of the local networks of the site to site IPSec tunnel, but I wouldn't like the other side to see it.

      I know this is possible with IPSec tunnels (just add matching phase2 entries to the tunnels you want to connect) but I'm at a loss with mobile IPSec tunnels and their phase2 and unfortunately I'm still unable to make it work.

      Any thoughts about this are greatly appreciated.

      Cheers,
      – Enrico

      1 Reply Last reply Reply Quote 0
      • E
        eksantrik
        last edited by

        I was wondering if you were able to fix this problem; because I am exactly having the same issue.

        If so, could you please tell me how you did it.

        thanks

        1 Reply Last reply Reply Quote 0
        • T
          TimmZahn
          last edited by

          Hey there enrico.m.crisostomo (or anyone else that knows the answer) -

          I am experiencing what is mentioned in the OP. I have a working Mobile IPSec VPN, and all mobile devices can see resources on the local LAN subnets. These mobile devices cannot traverse the site-to-site VPN to my servers in the cloud. As stated below, with a traditional site-to-site VPN you would simply add another Phase2 and make sure that the remote side has a route to your new subnet. That idea does not appear to work with a Mobile IPSec VPN.

          Does anyone know the resolution to this?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.