Netgate SG-1000 microFirewall

Author Topic: IPsec VPNs for S2S and mobile clients  (Read 214 times)

0 Members and 1 Guest are viewing this topic.

Online TMA-3

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
IPsec VPNs for S2S and mobile clients
« on: January 15, 2018, 07:35:46 pm »
I'm attempting to create 2 IPsec VPN configurations, one for site-to-site and another for mobile clients.  I'd like to use different IP addresses for each (I have a /29 block of public IPs assigned to me) and hand out hostnames that make sense (sitename.company.com and vpn.company.com, for example).  I thought that I should assign these IP addresses to separate interfaces, but I have not been successful in getting this to work.  It seems from the examples I've found that the preferred way to handle multiple public IP addresses is to use the Virtual IPs feature and just use the WAN interface for both.

Is it possible to have my OPT1 interface handle the VPN for my mobile clients while having the site-to-site VPN on my WAN interface?  Or is this creating more trouble than it is worth?

Thank you for any advice.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #1 on: January 15, 2018, 07:50:28 pm »
Use a Virtual IP. You can't configure two interfaces on the same subnet.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online TMA-3

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #2 on: January 15, 2018, 08:42:01 pm »
Use a Virtual IP. You can't configure two interfaces on the same subnet.

Oh, dear - is that the issue here?  I was attempting to assign each interface with a single IP (/32) ... does that make a difference or is the proper way to enter the /29 network for the WAN interface and use the Virtual IPs for each?  Sounds like it?

Thanks!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #3 on: January 15, 2018, 08:52:27 pm »
Yes. One interface with two addresses.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online TMA-3

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #4 on: January 17, 2018, 10:52:47 pm »
Yes. One interface with two addresses.

Thanks for the assistance!

I now have my WAN configured properly with /29, my two IP aliases configured and I can reach the WAN interface from outside.  Here is my next question:  How do I listen for VPN connections on a specific IP alias?  In the IPsec configuration I am only given a choice of the WAN interface in the Phase 1 section - I don't see a place to indicate an alias (or where I expect the incoming connection to arrive).  How can I accomplish this?  I'd like the site-to-site VPN on one IP and the Mobile VPN on the other.

Thank you!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #5 on: January 18, 2018, 01:44:31 pm »
My WAN VIP (172.25.228.6) is listed as a choice there...
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online TMA-3

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #6 on: January 20, 2018, 11:36:13 am »
My WAN VIP (172.25.228.6) is listed as a choice there...

Ah, OK - I added my IPs as firewall aliases and not as virtual IP addresses.  Now they show up - thank you!

When I enter my IPs in the virtual IP address section, should I be using the netmask for my IP block (/29) or should I be using a single IP address mask (/32)?

Thank you.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: IPsec VPNs for S2S and mobile clients
« Reply #7 on: January 20, 2018, 12:57:56 pm »
If you use IP Alias type (probably what you want) you should use the interface subnet.

If you use CARP type (not sure why you would) you should use the interface subnet.

You cannot use Proxy ARP or Other because you cannot bind services on the firewall (like IPsec) to them.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM