Newbie IPSec Road Warrior Question

proksy

Hi all,

I am new to the forum and have been using pfsense for almost two years and think it's the better than sliced bread.  I am trying to configure VPN via IPSec and have followed the tutorial found here : http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To.  The client establishes a connection just fine, I checked the ip of the remote computer and verified the logs and am able to ping the pfsense box.  When I try to ping to any other devices on my network, requests time out.  I know it has to be pure ignorance on my part but I am not sure why my ping requests time out.

In the tutorial under client configuration,

Host: <pfsense box="" wan="" ip="">Port: 500
Auto: Disabled
Adapter: Use virtual adapter and assigned address
Address: (pick some other random range you are not using, like 192.168.111.xx)
Netmask: 255.255.255.0

the "random" range that used was 192.168.120.0 - 255.  There will only be a few remote users.  When I establish a connection through vpn I see my ip address has changed accordingly to 192.168.120.1 for example, but when trying to ping my domain server or other devices on the network on the 192.168.1.xxx subnet the requests time out.  When I select an address inside my network's ip range 192.168.1.xxx everything is fine and I can talk with everything/access everything.  I like the idea of separating the ips for vpn and following this tutorial all the way.  Can someone help educate me on this? Thanks :)</pfsense>

proksy

update:

So I figured out that I had not actually gained access to my network because I was actually on my network, the laptop I was on dropped the wireless connection I was "borrowing" and reconnected to my own network during my test.  I am truely off of my network now and am able to establish a connection using the shrew client with either 192.168.120.xx or 192.168.1.xx subnet but I am unable to access anything inside of my network, not even my pfsense box.

My shrew client displays the following:

config loaded for site '[hidden]'
configuring client settings …
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled

The client is on a windows pc and when I looked at the ipconfig info for the vpn tunnel I see the following:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
Physical Address. . . . . . . . . : AA-AA-AA-46-8A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : hidden
IPv4 Address. . . . . . . . . . . : 192.168.1.50(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : [there's no default gateway??]
DHCPv6 IAID . . . . . . . . . . . : 464169642
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-C0-42-E2-00-A0-D1-8B-B7-BD

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                   fec0:0:0:ffff::2%1
                                   fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled

I am not sure what is going on.  Everything looks good on the shrew client but not having a default gateway seems weird.  I know I am missing something very simple.  Thanks for any help and direction.  :)

proksy

another update:

I was messing with some things on the pfsense box and I noticed that when I enable nat-t that I can establish a connection but the connection drops shortly after failing at phase 1 w/ a time out.  So if I turn nat-t on both sides a connection is established but not all the way apparently.  My pfsense ipsec logs show this:

Aug 19 20:50:24 racoon: ERROR: phase1 negotiation failed due to time up. 456d87e7a5481bec:bf253d929a2e7e6b
Aug 19 20:50:19 racoon: [Unknown Gateway/Dynamic]: INFO: Hashing [remote server][500] with algo #2
Aug 19 20:50:19 racoon: [Unknown Gateway/Dynamic]: INFO: Hashing [remote client][500] with algo #2
Aug 19 20:50:19 racoon: INFO: Adding remote and local NAT-D payloads.
Aug 19 20:50:19 racoon: INFO: Selected NAT-T version: RFC 3947
Aug 19 20:50:19 racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 19 20:50:19 racoon: INFO: received Vendor ID: DPD
Aug 19 20:50:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 19 20:50:19 racoon: INFO: received Vendor ID: RFC 3947
Aug 19 20:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Aug 19 20:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Aug 19 20:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Aug 19 20:50:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Aug 19 20:50:19 racoon: INFO: begin Aggressive mode.
Aug 19 20:50:19 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 7[remote server[500]<=>[remote client]

Everything matches up on pfsense and shrew so I am not sure what to do from here.

proksy

if I dissable nat-t on both ends I get a connection established but on the ipsec server logs I get this:

Aug 19 21:03:23 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established [remote server ip][500]-[remote client ip][500] spi:1e87438f1a87d2e8:30b277ef88611fa4
Aug 19 21:03:23 racoon: INFO: received Vendor ID: CISCO-UNITY
Aug 19 21:03:23 racoon: INFO: received Vendor ID: DPD
Aug 19 21:03:23 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 19 21:03:23 racoon: INFO: begin Aggressive mode.
Aug 19 21:03:23 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: [remote server ip][500]<=>remote client ip][500]

the shrew client displays tunnel enabled and appears to be connected but all ping requests into the network fail and I don't have any default gateway.  I do believe there should be two responses reporting an inbound and outbound tunnel and I don't see those.  Has anyone seen this before?  What am I doing wrong?  Thanks

proksy

new update:

I have successfully been able to enable nat-t.  I had to create a wan udp rule on the firewall to allow port 4500 to get through.  The tunnel is successful and now I get past phase 1 and phase 2 and am now able to ping the default gateway but I am unable to ping anything inside the network.  I have a rule in place on the firewall for ipsec to allow all traffic on any port on any proto just to get this working but nothing works, just communication to the default gateway.  I've got to be getting close.

proksy

[SOLVED]:

Here was the main hangup, I needed to use nat-t to work from behind other nats and to do that I created a firewall rule under wan, to allow udp traffic through port 4500.  This allowed me to get past phase 1 and 2.  I then remembered that I was switching around the ipaddress for the remote client, putting it inside my subnet then outside and back in.  I reread the tutorial and it does clearly say to use an ip ouside your subnet, so I was just giving myself headaces by not sticking with the totorial after opening port 4500.

Long story short,

to enable nat-t, create a firewall rule under wan, for udp port 4500 and follow the tutorial! ;)