@smk said in Troubleshooting DNS failures over VPN from Win11 clients:

Default Gateway is not being set on the VPN connection.

Pfsense does what you tell it to do - just because you connect to some vpn service - unless you tell pfsense to route all traffic out that connection, why would you think it should be default?

@viragomann It wasn't necessary. The issue was happening at the other peer, a Blockbit with two boxes, but the slave box, though operating, has not the redundancy enabled (cabling). When we turned off the slave box, the problem was solved.

Looks like Roland filed a report that was confirmed already:
https://redmine.pfsense.org/issues/15171

Nice!

@viragomann
It is policy-based tunnel (Tunnel IPv4).

Phase2 is working (status connected).

Status->SystemLogs->IPSEc has no corresponding entries.

But you said " and the subnet is not routed through the tunnel": This is exactly the problem - how to do this? As there are no thus options in the IPSec tunnel settings ("NAT/BINAT translation" should not be the corresponding option.)

@ctyokley
I’ve seen something like that happen. Phase 2 pfs negotiations succeed until it’s time to rekey. But not ok pfsense. Probably thinking of an ASA maybe

@Konstanti

Thanks! I will take a look at this. The problem is that I don't know for sure that this is the problem. I would hate to go through regeneration and deployment of new certificates and STILL have the issue.

I've managed to get everything (HTTPS/IPsec) working, except for the iPad. I'm guessing that the fragmentation is the issue since it's the last thing I see before destroying the connection.

It's not urgent that I get this working on the iPad since I do have a working IPsec on my phone. It would be rare I'm travelling with the iPad and NOT also have my phone available.

after much searching and trial and some error. I think i have solved the problem. It seemed to be loosing or having packets getting corrupted or out of order as i have seen some documents describe it. I ended up changing the maximum MSS on one firewall. Since i am new at this, it took a long time to find this setting so i will include it here for others that may be having similar problems.
system, advanced. firewall & nat tab
Scroll down to VPN packet processing, check box enable MSS clamping on VPN traffic. Maximum MSS 1400.
I disconnected the VPN and let it reconnect, just to make sure changes happened. After that print jobs between builds and web pages worked again.
Thanks.

@Tirthankar
You need to allow access from the remote site here, so from 192.168.1.0/24.

Nothing to discuss here I guess. Ticket has been opened in Redmine and a todo was assigned to version 2.8.0.

I carefully reviewed my settings against a working configuration and discovered that a few things were misconfigured or missing. I now have it working!

Now to try the same on an iPod!

Yeah like @michmoor is mentioning, I'd double check the config on both sides for Phase 1 and 2 and be sure they are identical.

If that still doesn't work then I'd dig deeper on the deleting SA issue mentioned by @Konstanti

Might also be worth checking to be sure the Fortigate is fully updated so there isn't a chance for some old bug.