Mobile IPSec Network Traffic

bigjme93

Hi Everyone,

I'm sure this has likely been asked before but i've followed a number of different guides and just can't get this to work

I'm trying to set up my IPSec VPN from my Android phone to my house. I've followed guides online and this was working for about a year routing internet and network traffic over the VPN, i didn't use it often so this was fine.
Recently i upgraded to the latest pfsense (2.4.2), at the same time i had my network changed around a little and now could really do with setting my phone up with the vpn always on to monitor things like CCTV alerts etc.

So i altered the pfsense configuration and have lan working fine but when connected i can't seem to get internet on my phone at all.

Loading a webpage simply times out and does nothing further. I was wondering if anyone can check over my settings and see if there is something i have missed or maybe its an android thing? In short i want the VPN on always so i can access my lan but i want all normal web traffic to route via my mobile carrier as normal

I'm also having some odd behaviour where in the ipsec status, the vpn clients are being put in the wrong network bit rang which is a little odd as well. I've attached screenshots of everything i think is relevant from the pfsense side, let me know if anything is missing

Many thanks in advance

Regards,
Jamie

screen1.jpg_thumb

screen2.jpg_thumb

screen3.jpg_thumb

screen4.jpg_thumb

screen5.jpg_thumb

screen6.jpg_thumb

PimB

Did you make a any-any firewall rule under IPsec?

bigjme93

Hi PimB

Sorry i didn't reply sooner, i didn't get a notification of a response :)

I did have an AnytoAny rule set up yes but now my network is being used more i have altered it a little to the attached

192.168.1.0/24 is a remote network, this should be able to access 192.168.0.0/24 and the other way around (i do need 2 rules for this i presume)
192.168.2.0/24 is my mobile vpn, this can access 192.168.0.0/24 but nothing else. With the rule on it can connect to my home network but still has no internet.

If i disable the rules and reconnect the client then it can't access my network so i know the 24 bit assignment is working (even though ipsec status shows it as 32 bit)

There is a wan rule i'm not entirely sure of, sorry i'm not a serious network guy i'm still learning as i go. I've uploaded an image called rule.jpg
To my knowledge this is just allowing the external VPN connection to actually occur. If i disable those rules, i can still connect the vpn and access my lan (with no internet still)

Surely with those 2 off i should be unable to connect using the vpn unless the nat rules are overriding?

Regards,
Jamie

Edit
As a trial i set outbound nat to Manual Outbound NAT rule generation and disabled the 2 rules for 192.168.2.0/24
And i was still able to connect on the vpn. So in short i now have no rules, or nat set up to allow connections on ports 500 or 4500 for the vpn and i can still connect without issues.
Really confused about this now as surely it should be blocking the connections by default?

ipsec.jpg_thumb

rule.jpg_thumb

PimB

Hi bigjme93,

No problem.

So you have a vpn breakout? Could you point the NAT rules (* and 500) for 192.168.2.0 to the network interface of the internet out?

I have multiple outgoing VPN's to a VPN provider grouped under System>Routing and set that up as a gateway on the WAN and IPsec rules and I've made NAT-rules for each interface out.

Also, after you have done this, could you try to assign 0.0.0.0/0 as the local subnet (Phase 2)?

bigjme93

Hi PimB

My aim isn't to allow the VPN's to access out in this case. Rather i'm trying to lock it down a little

To better explain:
When i initially set up the VPN i set it up so that mobile clients could access my lan, and route internet via the VPN so that all internet traffic from the mobile came from my home IP
I mainly use this once or twice a day for a few minutes just to check on stuff at home. To do this is set up the 0.0.0.0/0 phase 2 like mentioned below

I have now expanded my home CCTV and alarm systems so they can send me alerts to my phone if anything goes wrong. Rather than allowing login access to these services via the web, i kept them locked to access from the LAN only

So now my mobile needs to access my lan network all the time to stay logged into the VPN. This was fine except that when all my internet was routing through home, i was maxing out my upload speed from home when ever i was trying to watch YouTube or download updates from my phone.

So what i want to do is allow the phone to route all LAN traffic to my home, but route anything web like YouTube and updates directly to the mobile network (avoiding the VPN entirely)

I may find out that this is something not possible due to something stupid in android but even with everything set as it is now, my phone is still unable to connect to the internet when connected to the VPN, like its still trying to route everything via it

I hope this clarifies things a little more?

Regards,
Jamie

Derelict

Split tunneling is more to do with the client settings than the server.

For instance in windows 10 I'm pretty sure you need to manually set that in powershell. At least in some versions.

Sorry, no android here to test, and it too probably varies version-to-version.

PimB

Hi bigjme93,

I understand. I can't help with that, if it's even possible. Maybe someone else here?

bigjme93

@Derelict:

Split tunneling is more to do with the client settings than the server.

For instance in windows 10 I'm pretty sure you need to manually set that in powershell. At least in some versions.

Sorry, no android here to test, and it too probably varies version-to-version.

I had a feeling it may not be possible, i have just set up the internet to route through my VPN again (and tidied up my firewall rules a lot)

Thanks for the help both of you :)