Moblie ipsec limited to one entry



  • In trying to setup mobile ipsec it seems that I can only create one instance.

    Am I missing something or is that intended?

    I have clients that need to be able to access different networks and they should not all have the same access. i.e. User group 1 needs to be able to access networks a and b, but not networks c, d and e. However, user group 2 needs to be ale to access them all.

    I can do this with OpenVPN and obviously can create multiple site to site ipsec, so I do not understand why mobile ipsec would be limited to one.

    OpenVPN will not work, because it does not support split-dns and given the feeling in that community that DNS and other features should not be a function of a VPN client, I doubt it ever will. However, ipsec clients have had features like split-dns, client side firewall, etc for a while so it is ideal for this.

    If this is really a limitation of pfSense, I would like to suggest that this limitation be lifted.

    Another feature request is to have an any option for the remote subnet, which is a common option for ipsec hosts.

    Thanks,

    Rhongomiant


  • Banned

    @Rhongomiant:

    Another feature request is to have an any option for the remote subnet, which is a common option for ipsec hosts.

    Huh? How's this related to mobile IPsec? You have no idea what's the remote subnet going to be there. Makes no sense. Just use the "non-mobile" tunnel for this.



  • Is it just mobile IPsec that is limited to this or is it IPSec of pfSense in general?  If one can have multiple configurations for different clients, then how is this achieved?


  • Banned

    Really just mobile. Sounds you are doing the wrong thing. Otherwise, you can have as many IPsec tunnels with different configurations and one or multiple P2s as needed.



  • doktornotor,

    I don't think you understand the situation or how mobile IPsec works. You can't use a standard config for mobile clients.

    A standard IPsec config requires a remote gateway and will try to negotiate the connection with the remote gateway. Additionally, it has no mechanism for handing out IPs to mobile clients. The ipsec mobile client tab sets up a tunnel that is only initiated by the remote client and it hands an IP to the client upon connection.

    I need users to be able to connect randomly from any public IP and I need different groups of users to be able to access different network resources. Since there is no control over how IPs are handed to the mobile clients, I cannot control access to networks using firewall rules. The only solution is to be able to create multiple mobile client config and this is a common option for ipsec hosts.

    lifeboy,

    Only mobile ipsec has this limitation. You can have multiple site to site configs.

    Thanks,

    Rhongomiant


  • Banned

    All I was commenting on is that the request to implement "option for the remote subnet" on mobile IPsec is just nonsense.

    Other than that, I'd suggest moving to OpenVPN and forgetting about this overly complicated, error prone, poorly compatible and generally horribly buggy IPsec thing.



  • @doktornotor:

    All I was commenting on is that the request to implement "option for the remote subnet" on mobile IPsec is just nonsense.

    This is true, but I think was more a matter of wording than being the actual request. The request seems to be the ability to control which IP gets assigned to mobile clients, which is a legit feature request and something I hope we can accommodate in the future.



  • @doktornotor:

    All I was commenting on is that the request to implement "option for the remote subnet" on mobile IPsec is just nonsense.

    Other than that, I'd suggest moving to OpenVPN and forgetting about this overly complicated, error prone, poorly compatible and generally horribly buggy IPsec thing.

    doktornotor,

    My apologies, I did not pay attention to the specific quote to which you were commenting. I should have been more clear, that suggestion is not for Mobile IPsec.

    @doktornotor:

    Other than that, I'd suggest moving to OpenVPN and forgetting about this overly complicated, error prone, poorly compatible and generally horribly buggy IPsec thing.

    I disagree with you assessment IPsec as a general practice. I do agree that OpenVPN is easier to setup and I have had less issues with it, but…

    IPsec is commonly used for enterprises and while it is harder to setup, a measure of that that is really a pfSense issue. Other network appliances allow you to use "Aliases" in the phase 2 subnet fields so you do not have to manually create a p2 entry for each and every subnet to subnet mapping.

    IPsec is more mature with a greater feature set. Once of the large ones for me is split-DNS. I make multipler VPN connections at times and when more than one has local only DNS then I can only get to internal sites for one of the connections. The splid-DNS solution was implemented in IPsec which solves this. Each connection provides a list of zones that are local and DNS requests for hosts on those zones are push over the appropriate tunnel and the rest are does through your systems default DNS path. The OpenVPN community does not seem to get the value of this, so unless the devs see past that, it will never have split-DNS.

    I appreciate your comments and I apologize again for my confusion.

    Thank you,

    Rhongomiant


Log in to reply