Pfsense 2.3.2 ipsec vpn mobile configuration not correctly generated
-
I can confirm things are broken without the patch mentioned above.
-
I went ahead and committed the above patch, should be in 2.3.2_1
-
Hi folks,
thanks for all your support. I can confirm that all our IPSec tunnels are working again on 2.3.2_1. I'm not sure there was an issue related to the gui stuff. The GUI still shows the empty remote subnet (witch in the end does not bother for mobile-configs :-)). We changed our configs on the 'desktop client' side from EasyVPN to ModeConfig (which is almost the same, except we can/must provide the remote network subnet). And voila, were up and running again. Even the OS X built in IPSec is again able to connect to our pfSense boxes.
Regards, jones
-
Hi,
Using 2.3.2-RELEASE-p1 (amd64) I'm also missing the remote subnet in P2 for mobile clients.
Current Base System 2.3.2_1Is this only missing to be shown in the GUI or does it affect the VPN functionality?
Reason for asking is that I have an issue with the route on the client that needs to be added manually after VPN is connecten when setting Win 10 not to use the default gateway in order not to route Internet traffic over VPN.
The client do not know that traffic for the remote network are to be routed to the virtual IP assigned by PFsense unless the route is added manually after VPN connection is established.
I would like routing to happen automatically for mobile VPN users.
Besides that it works like a charm.
Thanks
-
Routing is controlled only on the client side with IKEv2, the server side cannot influence what the client does.
Win 10 changed the behavior recently. There is an option you have to change to make it route all traffic, or you can add a route using powershell. Search the forum there has been some talk of it recently.
-
Thanks
I can configure ther routing manually at Win 10 after the VPN is connceted and everything works.
But the problem occours bechause PFsense uses a Virtual IP for mobile clients that is unknow to the client and not within the LAN network.
Hence the client have no change of making the route automatically.
On our old firewall we use the server side Lan network also for virtual IP but that seems to be a no go with Pfsense.
But as mentioned everythign works when we add the route manually. -
That is completely off topic for this thread. Start a new thread if you'd like to discuss that.
-
Hi folks,
thanks for all your support. I can confirm that all our IPSec tunnels are working again on 2.3.2_1. I'm not sure there was an issue related to the gui stuff. The GUI still shows the empty remote subnet (witch in the end does not bother for mobile-configs :-)). We changed our configs on the 'desktop client' side from EasyVPN to ModeConfig (which is almost the same, except we can/must provide the remote network subnet). And voila, were up and running again. Even the OS X built in IPSec is again able to connect to our pfSense boxes.
Regards, jones
Do you made any change to the OS X system?
I was unable to connect to VPN and using Internet, since upgrading from 2.2 to 2.3.2_1 with the OS X built In IPSEC. -
Has this problem reappeared in 2.3.4-RELEASE-p1
Hi
After enabling IPSec Mobile Support, I create the Phase 1 as the GUI ask me to do in the top yellow box.
Adding P1:
General Information- (disabled off)
- V1
- IPv4
- WAN
- (no description)
Phase 1 Proposal (Authentication) - Mutual PSK + XAuth
- Aggressive
- My IP address
- *** a pre-shared key
Phase 1 Proposal (Algorithms) - AES - 256
- SHA1
- DH 2
- 28800
Advanced Options - (rekey off)
- (responder off)
- NAT auto
- DPD on
- Delay 10
- Failures 5
Pretty much the defaults except the Mutual PSK + XAuth setting.
Then adding P2:
General Information- (disabled off)
- Tunnel IPv4
- LAN Subnet
- NAT none
- (no description)
Phase 2 Proposal (SA/Key Exchange) - ESP
- AES - auto
- SHA1
- PFS off
- 3600
Advanced Configuration - (empty)
All is saved and applied.
Now the GUI shows missing 'Remote Subnet' information like in the screenshot attached. This started about Release 2.3.1.Thanks for any help!
Jones
-
seems so, i have the same issue. the patch posted above cannot be applied. i have multiple p2 configured lan, wlan, dmz. i can only access lan subnet. and i have no idea why. i don't even know if my problem is related to this topic.