Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reach mobile client from LAN via IPsec tunnel

    Scheduled Pinned Locked Moved IPsec
    12 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • viktor_gV
      viktor_g Netgate
      last edited by

      Please show VPN / IPsec / Tunnels configuration

      1 Reply Last reply Reply Quote 0
      • L
        lemonfan
        last edited by

        Please see attached pictures with the IPsec config:

        pfsense_phase1.png
        pfsense_phase2.png
        pfsense_mobile_clients.png
        pfsense_psk.png
        pfsense_advanced.png

        1 Reply Last reply Reply Quote 0
        • viktor_gV
          viktor_g Netgate
          last edited by

          You use very outdated version of pfSense
          Please update to latest 2.4.4-p3

          1 Reply Last reply Reply Quote 0
          • L
            lemonfan
            last edited by lemonfan

            I still need PPTP VPN for one client, therefore update is not possible right now.

            Any hint how to solve the IPsec routing to the roadwarrier?

            1 Reply Last reply Reply Quote 0
            • viktor_gV
              viktor_g Netgate
              last edited by

              Checked it on last 2.4.4-p3 - no problem
              traffic routed into IPsec

              pfSense is single gateway in 192.168.1.0/24 network?
              What is default gw on ServerA?

              1 Reply Last reply Reply Quote 0
              • L
                lemonfan
                last edited by

                Default GW on ServerA is the pfSense LAN address 192.168.1.10. No route configured on ServerA for the 192.168.2.x network.

                If I do capture packages on the LAN interface, I can see the ICMP packet on the LAN interface (IP 192.168.1.20 > 192.168.2.149) and on the WAN interface (IP 192.168.50.2 > 192.168.2.149), but nothing on the IPsec interface.
                192.168.50.2 is the IP of the one of the pfSense WAN Interfaces (it has two in a gateway group).

                I've tried with a "NO NAT" outbound rule on every interface for destination 192.168.2.0/24 with no success.
                In parallel, I've also set up an lan-to-lan IPsec tunnel. This works in both directions out of the box.

                viktor_gV 1 Reply Last reply Reply Quote 0
                • L
                  lemonfan
                  last edited by

                  Can I list the fw tables with ipfw?
                  The command 'ipfw table all list' throws the following error: 'ipfw: Context is mandatory: No such file or directory'

                  viktor_gV 1 Reply Last reply Reply Quote 0
                  • viktor_gV
                    viktor_g Netgate @lemonfan
                    last edited by

                    @lemonfan is more better to show routes:

                    netstat -rn4

                    1 Reply Last reply Reply Quote 0
                    • viktor_gV
                      viktor_g Netgate @lemonfan
                      last edited by

                      @lemonfan did you try OpenVPN for mobile clients? check the same.

                      1 Reply Last reply Reply Quote 0
                      • L
                        lemonfan
                        last edited by

                        The output of netstat -rn4 (while IPsec connection is established):

                        Routing tables
                        
                        Internet:
                        Destination        Gateway            Flags      Netif Expire
                        default            192.168.50.1       UGS         sk0
                        1.1.1.1            192.168.50.1       UGHS        sk0
                        8.8.8.8            192.168.51.1       UGHS        sk2
                        127.0.0.1          link#8             UH          lo0
                        192.168.50.0/24    link#1             U           sk0
                        192.168.50.2       link#1             UHS         lo0
                        192.168.51.0/24    link#3             U           sk2
                        192.168.51.2       link#3             UHS         lo0
                        192.168.1.0/24     link#2             U           sk1
                        192.168.1.10       link#2             UHS         lo0
                        
                        1 Reply Last reply Reply Quote 0
                        • L
                          lemonfan
                          last edited by lemonfan

                          Some more debugging on the fw:

                          1. ping 192.168.2.145
                            Generates ICMP echo request packages on the gw interface (sk0/sk2), no ICMP echo reply is received (obviously).
                            Result: ping command gets no answer.

                          2. ping -S 192.168.1.10 192.168.2.145
                            Generates ICMP echo request packages on the ipsec interface (enc0) and the clients answers back with ICMP echo reply packages.
                            Result: ping command is ok.

                          3. route add 192.168.2.144/28 192.168.1.10
                            ping 192.168.2.145
                            Generates ICMP echo request packages on the ipsec interface (enc0) and the clients answers back with ICMP echo reply packages.
                            Result: ping command is ok.

                          BUT:
                          Even with the above route, i can ping the client only from the fw itself, but not from the network. I`ve also tried playing with NAT rules to force the fw source address, but no lock so far.

                          Any further idea to solve the problem?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.