Mobile VPN Access to VLAN/interface?

So I see with IKEv2 the mobile VPN users are assigned an IP from the Virtual Address Pool.

I have an interface setup that is a VLAN with DHCP for all of our internal computers and printers. Is it possible to put a mobile VPN user on that network using IKEv2?



  • Options

    Usually bridging the networks is discouraged as far as I can tell as this then doesn't allow you to segregate VPN traffic, but is there a specific use-case to do this with IKEv2?
    (Microsoft RRAS server when used to terminate remote access VPNs actually does this [bridging VPN users to an existing network]).

    I see SSL VPN permits this after you setup your network to include a bridge interface though I have not tried this myself (I keep my VPN users on a separate network and then add policies as required, even if it is a broad allow type statement).

  • Options
    edited March 2023

    Nothing prevents you from assigning IP addrs from your VLAN range for the IKEv2 Virtual IP addr pool.
    Just make sure that the IP addrs for IKEv2 can't be assigned to your VLAN devices.

    Alternatively, you could add the "IKEv2-Users" alias to the From: field on policies which allow access for your VLAN users. This is my preference here.

  • Options

    @Bruce_Briggs ... I see. So I can do a DHCP reservation for a group of IP addresses and then use those in the virtual ip pool for the ikev2?

    We are simply going to be locking down some resources that cannot be accessed remotely unless connected to the VPN. I could also just add the ip addresses allowable that the current ikev2 virtual ip pool uses.

  • Options

    Not a DHCP reservation - just reduce the DHCP pool used for the VLAN from a subnet to an IP range.

  • Options

    Got it. Thanks Bruce

Sign In to comment.