Mobile IPSec - 2.2.5 to Win 10 - no data
-
Win 10 IPSec clients connect but can't ping anything in another subnet. There are Phase 2 rules for the other subnets and firewall rules. There are already 2 functioning IPSec site-to-site tunnels running using those firewall rules. The mobile clients don't need internet access through the VPN, but I tried adding a 0.0.0.0/0 P2 rule and corresponding firewall rule and it didn't make any difference.
I set the mobile client virtual address pool to 192.168.8.0/24 and 2 DNS servers in the 192.168.5.0/24 subnet. The client was assigned 192.168.8.1 as an address on the VPN interface and received the DNS server settings, but when I pinged the DNS servers there was no response. When I did a tracert to one of the DNS IPs, it went to the IP of the client's local default gateway (10.0.0.1/24), not to anything on the pfsense subnets.
Any help would be greatly appreciated.
Thanks in advance,
Matt -
Maybe the attached screen shots will help someone point me to where the problem is.
When the VPN is connected I can't ping the other private subnets or anything on the internet.
Any help or direction would be greatly appreciated. I can't upgrade to 2.3.x until this is working since we currently depend on PPTP.
![VPN IPsec - Tunnels.jpg](/public/imported_attachments/1/VPN IPsec - Tunnels.jpg)
![VPN IPsec - Tunnels.jpg_thumb](/public/imported_attachments/1/VPN IPsec - Tunnels.jpg_thumb)
![Status IPsec.jpg](/public/imported_attachments/1/Status IPsec.jpg)
![Status IPsec.jpg_thumb](/public/imported_attachments/1/Status IPsec.jpg_thumb)
![Firewall Rules - IPSec.jpg](/public/imported_attachments/1/Firewall Rules - IPSec.jpg)
![Firewall Rules - IPSec.jpg_thumb](/public/imported_attachments/1/Firewall Rules - IPSec.jpg_thumb)
![Client Connection Status - General.jpg](/public/imported_attachments/1/Client Connection Status - General.jpg)
![Client Connection Status - General.jpg_thumb](/public/imported_attachments/1/Client Connection Status - General.jpg_thumb)
![Client Connection Status - Details.jpg](/public/imported_attachments/1/Client Connection Status - Details.jpg)
![Client Connection Status - Details.jpg_thumb](/public/imported_attachments/1/Client Connection Status - Details.jpg_thumb)
![Client Network Connection Details.jpg](/public/imported_attachments/1/Client Network Connection Details.jpg)
![Client Network Connection Details.jpg_thumb](/public/imported_attachments/1/Client Network Connection Details.jpg_thumb)
![Client Route Table.jpg](/public/imported_attachments/1/Client Route Table.jpg)
![Client Route Table.jpg_thumb](/public/imported_attachments/1/Client Route Table.jpg_thumb) -
Got this mostly fixed.
-
The client side VPN must be created through the Network and Sharing Center (the legacy interface way), not through the Network & Internet - VPN settings page (new, Modern, interface). It works when you do it the 1st way but doesn't work when you do it the 2nd way.
-
If you're connecting to clients on internal subnets through the VPN, you have to update the firewall rules on those clients. The IPSec clients are coming from a new, different subnet and the firewalls running on internal machines need to know that new subnet is trusted.
I still don't have it talking to the internet through the VPN, which is frustrating, but it isn't required for my application so won't prevent our 2.3.x upgrade.
-