Got tunnel, now the routing…

DLpres

I have a brand new 2.0.1 pfsense, currently it's in a test environment.
I'm now trying to setup an IPsec host-to-network (mobile warrior) VPN, with another machine on a separate LAN.
OSX 10.6.8  with VPN Tracker 5.

Establishing the tunnel works great, but I'm unable to access or ping any address on the network, including pfsense.

Setup:
Network:  192.168.1.0 / 24
VPN client network: 192.168.8.0/24
VPN client LAN IP: 192.168.8.55

relevant pfsense settings:
IPsec phase 1 My identifier:  My IP address
    NAT Traversal enabled
IPsec phase 2  Tunnels:
    Mode: tunnel
    Local Network: Type: Network
    Address: 192.168.1.0/24
Mobile clients: Client Configuration:
  Virtual Address Pool: enabled, network 192.168.1.0/24

Firewall has IPsec allowed for any/any

Relevant VPN client settings
    Local Address:  77.77.77.77
    Remote Network: 192.168.1.0 / 255.255.255.0

In pfsense's IPsec log all the references are to the public IP addresses of both WANs, except at the end:
  no policy found, try to generate the policy: 77.77.77.77/32[0] 192.168.1.0/24[0]
Then it ends with
    IPsec-SA established: ESP 74.112.151.148[500]->74.89.151.50[500] spi=….

Interesting entries from the VPN client log:
21:34:25 Phase 1 Finished
21:34:25 Next step: Processing vpntrackerd connection request
21:34:25 Next step: Finishing Phase 1
21:34:25 Next step: Creating policies
21:34:25 Next step: Rollback: Adding policy
21:34:25 Next step: Adding policy 77.77.77.77/32[any] <–-> 192.168.1.0/24[any] / unique
…..
21:34:25 Phase 2 Finished
21:34:25 Next step: Processing vpntrackerd connection request
21:34:25 Next step: Finishing Phase 2
21:34:25 Next step: Finishing connection
21:34:25 Next step: Rollback: Adding SA 192.168.8.55 <–-> 74.112.151.148
21:34:25 Next step: Configuring interface
21:34:25 Next step: Creating gif0 interface
21:34:25 Next step: Rollback: Adding gif0 interface
21:34:25 Next step: Setting up routes
21:34:25 Next step: Adding route for 74.112.151.148 over 192.168.8.254 via en1
21:34:25 Next step: Rollback: Adding route to 74.112.151.148
21:34:25 Next step: Adding route for 192.168.1.0/24 over gif0
21:34:25 Next step: Rollback: Adding route to 192.168.1.0/24

21:34:25 Connected

Any ideas are appreciated. Thanks!

DLpres

I should also note that I tried to connect via an iPhone, both from within the 192.168.8.x network and on Verizon 3G. The results were the same - VPN connection established immediately, but I wasn't able to access any resource on the network.

twaldorf

You have the same problem as I described some postings earlier.

You have to use a COMPLETLY other IP address. Try 10.180.180.0 / 24 as virtual IP for your clients. Then you can connect to your firewalls LAN - but not any other tunnel…

BTW: Why do you use VPN-Tracker ?!?!?! OS X 10.6 has original cisco VPN client onboard which works perfectly with pfSense... ;-)

BTW 2: One of the moderators COULD answer to all the serious IPsec problems everybody (!) seems to have. Or do you get support ONLY if it's paid support ?!?!