Mobile IPSec VPN works but does not follow 302 redirects
-
@Konstanti @Derelict thanks a lot for looking through this.
11.0.0.0 is weird I agree, I just put this as the virtual IP address for client and when I generated an certificate (I followed this guide: https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html) and connected with my Andriod phone this is the IP that it connects through.
Perhaps I did a mistake there? To my knowledge, I have not configured any NAT rules for the IPSec VPN server, see below. (Please note, I have my pfsense set up as a OpenVPN client, so there are some NAT rules but that is for a different VPN).
-
This is not entirely correct
It is better to assign addresses from the allowed list (private ip address)
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16for example, 192.168.30.0/24
and then for this network, you can create a NAT outbound rule
for example ,
ipsec mobile client settings
and
nat outbound
-
This post is deleted! -
- You can open the strongswan app log and see which ip is assigned
or
2. /status/ipsec/leasesor
3. Status/System Logs/IPsec
- You can open the strongswan app log and see which ip is assigned
-
@Konstanti Thanks man, I managed to reassign the virtual IP and set up the NAT as you mentioned, however it is still not working.
0_1549227415987_packetcapture_2.zip
I attach a new packet capture. Could it be something with the Unbound DNS Resolver? I am resolving the app1.example.com to IP 192.168.0.98 through pfsense Unbound DNS resolves. It works on all my other devices but is
there something special with IPSec VPN Mobile Clients? I read somewhere that I had to set the Outgoing Network Interfaces to LAN and Localhost for it to work over VPN, so did that already.DNS Resolver:
-
@svarto
Packetcapture file empty -
And don't filter on anything but the host address so we can see the DNS queries.
-
0_1549228302261_PacketCaptureontwointerfaces.zip
@Konstanti @Derelict I created two packetcaptures on the two separate interfaces, filtering for the android IPSec VPN client as Host (i.e. 192.168.200.1)
Should be something in the files now...
-
@Konstanti @Derelict What is very peculiar is that when I am connected to the Wifi on my phone, and then connect through the IPSec VPN. Everything works. When I am not on the internal network but on 4G on my phone, and connect through the IPSec VPN - it doesn't work.
See packetcapture from being on the Wifi and connected through VPN and everything works:
0_1549229309189_IPSecInterfaceonWifiallworks.zip -
Doesn't do any good to look at pcaps of it working without one of it not working to compare it to.
-
This post is deleted! -
@derelict said in Mobile IPSec VPN works but does not follow 302 redirects:
Doesn't do any good to look at pcaps of it working without one of it not working to compare it to.
I submitted two packet captures, one where it wasn't working (i.e. Android phone on 4G and the IPSec VPN turned on) and the second where it is working (i.e. Android phone on internal Wifi and the IPSec VPN turned on).
My problem is that I would expect it to work the same whenever I am connected through the IPSec VPN...
Or did I misunderstand your comment?
Please see below:
0_1549260318219_bothpacketcaptures.zip -
@svarto
Hey
Make two files on the lan interface (ipsec is not necessary)
The first, when works
Second , when not working
What you posted was an ipsec capture (workingpacketcapture.cap)
It looks like this
The second file (Notworkingpacketcapture.cap) you already showed yesterday
This is yesterday's file (LanInterfaceClientasHost.cap)
-
@Konstanti Thanks for your patience, I did the packet captures for the two separate cases, attach them here in the .zip file and they are named according to if they were working or not:
-
And what is the error expressed ?
Visually, encrypted data is exchanged in both cases. There are no errors in the exchange. The client confirms receipt of the data. -
I attach a network diagram of my setup to make it clearer.
This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser.
However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine.
The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet.
