Defining the networks that mobile peers can access with network objects
Mobile users may need to access one or several networks protected by the firewall.
For the purposes of the example presented in this tutorial, assume that mobile clients can access two separate, discontiguous networks via IPsec: Network 192.168.1.0/24 and Network 192.168.128.0/24. Two network objects therefore need to be created for this configuration.
You need to create as many network objects as the number of discontiguous networks that the VPN clients can reach.
Creating the first network object
Create the first network object in the module Configuration > Objects > Network objects:
- Click on Add.
- Select Network.
- Assign an Object name to this object (Local_Network_Authorized_IPsec in the example).
- Fill in the Network IP address (in the form of a network/mask) with the first protected network that mobile users can access:
192.168.1.0/24 or 192.168.1.0/255.255.255.0.
- Click on Create.
Creating the second network object
By following the method described for the first network object, create the second network object named Local_Network_Authorized_IPsec2 in the example, corresponding to the network 192.168.128.0/24 (or 192.168.128.0/255.255.255.0).
Do note that both of these network objects can be grouped as a group object.
For the purposes of illustration, we will deliberately not group them to show that several destination networks can be selected when creating the standard IPsec mobile policy.
If VPN clients must reach n discontiguous networks, i.e., networks that cannot be grouped in an IP address range or in a single network:
- n Phase 2 configurations must be created on each VPN client,
- Each VPN client will then need n IP addresses.
This will directly affect the size of the network dedicated to VPN clients.