IPhone IPsec connects but not routing traffic 2.2.3
-
I upgraded to the 2015-07-17 snapshot and it still isn't working, maybe this evening when I get a chance I will setup a new VM on the host and try it fresh. I did a fresh VM with 2.2.3 and wasn't able to get it to route traffic either.
-
That was part of the issue but not all of it now that I look closer at your screenshots. The peer identifier isn't asn1dn with that setup, it's user distinguished name. https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
-
You sure about that? I'm not having any issues authenticating even against the radius db in mac os. The only issue I am having is passing traffic. I can try that but from what I remember it changed the behavior to require an email instead of just a name.
-
Ok, so the fresh install from the 1:30pm DEV release did work kind of. I was able to just redo the few basic settings I had from memory and everything connected as expected and I was able to hit devices over the VPN . I was also able to leave the setting of user distinguished name so I didn't have to use an email address which it was requiring prior to. I have an issue connecting to one system a home dvr, it won't connect at all but various other items are fine and I see the allow rule trigger in the logs but the app doesn't respond. Things like web traffic and vmc work flawless. I checked my rules andI have the protocol set to any thinking it was a UDP/TCP issue at first.
It also now isn't connecting to my remote ipsec site but I see some very erratic p2 behavior and I am hopeful updating the remote site that to the latest dev release of pfsense will fix that.
-
I'm still fighting with two issues that maybe someone could offer a direction on how to troubleshoot.
Site to site vpn is up and local traffic can talk to the remote site without issue and from the other side same thing. When I connect to the mobile vpn I can ping local resources fine. If I try to ping the remote site over the site to site vpn I don't get any traffic on the remote side.
The other issue is a local dvr camera system. I can connect to most of the services I've tried ssh, http, vnc. However when I connect to the DVR I get a timeout
I'm hoping these might be related because when I examine the logs they both show they should be working. I see the green arrows showing the traffic is allowed but the traffic doesn't seem to go where I expect it to go.
-
You need another P2 on the site to site to match your mobile IPsec subnet.
The DVR is probably missing a default gateway, or has a wrong subnet mask.
-
@cmb:
You need another P2 on the site to site to match your mobile IPsec subnet.
The DVR is probably missing a default gateway, or has a wrong subnet mask.
Dead on with the DVR it had a .0 instead of .1 and I guess for the past three years it was like that but with the other router I was able to use a local ip to assign to the ipsec tunnel so it didn't matter.
I already had the remote P2 for the local mobile ipsec subnet but I didn't have one for the local site to site so I added that still no go. I just got my new hardware in so I'm going to get vmware setup on that which will allow me to experiment a little easier.
-
Latest discovery is that I can send icmp packets from the remote ipsec network to my mobile ipsec connection and they reply fine. When I send them from the mobile ipsec network I see them go through the ipsec interface on the remote network but if I watch the lan interface it doesn't seem to forward them out to the intended device.
I'm using the 0.0.0.0/0 on the mobile ipsec connection with "Provide a list of accessible networks to clients" turned off and I have reciprocal setups for the mobile iprange for both the site to site ipsec configurations.
-
Sounds like it's not getting allowed by firewall rules on IPsec tab on the remote end. Since it works in the opposite direction the VPN itself must be fine all around.
-
I started a new vm on the remote site and started from scratch. I set it up a while back to connect to the fortigate I used to have here so I can't remember what all I experimented with or had done to get it to work. The good news is after just setting everything up by hand it is all working so it likely was something like that.