IPsec Separate Pools

Back up to the FireBrick IPsec Tunnels Category Page
From AAISP Support Site


With RoadWarriors you may want to allocate people from different roaming pool - that way you can firewall the roaming pools in different ways.

Due to differences in IKE clients - mainly Windows as you can't set the 'Remote ID' like you can on OSX, the set up is a little involved.

The summary of the config is as follows:

  1. The FireBrick needs two separate IP addresses
  2. Create two separate hostnames for the FireBrick, eg vpn1.example.com, vpn2.example.com each pointing to one of the IP addresses
  3. set acme-hostname to include the two hostnames, and certificates will be created automagically
  4. Create two roaming pools
  5. Create two IKE connections, one for one of the hostnames, and be sure to set local-ip, local-ID (FQDN:vpn1.example.com), auth-method=Certificate, peer-auth-method=EAP, and roaming-pool to the pool you want.
  6. create firewall rules as required


Example IKE config snippet: 

      ...
      <connection name="RoadWarriors-1" local-ip="x.x.x.1" graph="IPSEC:RoadWarroirs-1" local-ID="FQDN:vpn1.example.com" roaming-pool="roam-pool-1" auth-method="Certificate" peer-auth-method="EAP" dead-peer-detect="0"/>
      <connection name="RoadWarriors-2" local-ip="x.x.x.2" graph="IPSEC:RoadWarroirs-2" local-ID="FQDN:vpn1.example.com" roaming-pool="roam-pool-2" auth-method="Certificate" peer-auth-method="EAP" dead-peer-detect="0"/>
       ...
      <roaming name="roam-pool-1" ip="10.0.10.1-10"  DNS="217.169.20.20 217.169.20.21"/>
      <roaming name="roam-pool-2" ip="10.0.10.11-20" DNS="217.169.20.20 217.169.20.21"/>
      ...
Retrieved from ‘http://support.aa.net.uk/index.php?title=IPsec_Separate_Pools&oldid=16792