Mobile IPSec - 2.2.5 to Win 10 - no data



  • Win 10 IPSec clients connect but can't ping anything in another subnet. There are Phase 2 rules for the other subnets and firewall rules. There are already 2 functioning IPSec site-to-site tunnels running using those firewall rules. The mobile clients don't need internet access through the VPN, but I tried adding a 0.0.0.0/0 P2 rule and corresponding firewall rule and it didn't make any difference.

    I set the mobile client virtual address pool to 192.168.8.0/24 and 2 DNS servers in the 192.168.5.0/24 subnet. The client was assigned 192.168.8.1 as an address on the VPN interface and received the DNS server settings, but when I pinged the DNS servers there was no response. When I did a tracert to one of the DNS IPs, it went to the IP of the client's local default gateway (10.0.0.1/24), not to anything on the pfsense subnets.

    Any help would be greatly appreciated.

    Thanks in advance,
    Matt



  • Maybe the attached screen shots will help someone point me to where the problem is.

    When the VPN is connected I can't ping the other private subnets or anything on the internet.

    Any help or direction would be greatly appreciated. I can't upgrade to 2.3.x until this is working since we currently depend on PPTP.

    ![VPN IPsec - Tunnels.jpg](/public/imported_attachments/1/VPN IPsec - Tunnels.jpg)
    ![VPN IPsec - Tunnels.jpg_thumb](/public/imported_attachments/1/VPN IPsec - Tunnels.jpg_thumb)
    ![Status IPsec.jpg](/public/imported_attachments/1/Status IPsec.jpg)
    ![Status IPsec.jpg_thumb](/public/imported_attachments/1/Status IPsec.jpg_thumb)
    ![Firewall Rules - IPSec.jpg](/public/imported_attachments/1/Firewall Rules - IPSec.jpg)
    ![Firewall Rules - IPSec.jpg_thumb](/public/imported_attachments/1/Firewall Rules - IPSec.jpg_thumb)
    ![Client Connection Status - General.jpg](/public/imported_attachments/1/Client Connection Status - General.jpg)
    ![Client Connection Status - General.jpg_thumb](/public/imported_attachments/1/Client Connection Status - General.jpg_thumb)
    ![Client Connection Status - Details.jpg](/public/imported_attachments/1/Client Connection Status - Details.jpg)
    ![Client Connection Status - Details.jpg_thumb](/public/imported_attachments/1/Client Connection Status - Details.jpg_thumb)
    ![Client Network Connection Details.jpg](/public/imported_attachments/1/Client Network Connection Details.jpg)
    ![Client Network Connection Details.jpg_thumb](/public/imported_attachments/1/Client Network Connection Details.jpg_thumb)
    ![Client Route Table.jpg](/public/imported_attachments/1/Client Route Table.jpg)
    ![Client Route Table.jpg_thumb](/public/imported_attachments/1/Client Route Table.jpg_thumb)



  • Got this mostly fixed.

    1. The client side VPN must be created through the Network and Sharing Center (the legacy interface way), not through the Network & Internet - VPN settings page (new, Modern, interface). It works when you do it the 1st way but doesn't work when you do it the 2nd way.

    2. If you're connecting to clients on internal subnets through the VPN, you have to update the firewall rules on those clients. The IPSec clients are coming from a new, different subnet and the firewalls running on internal machines need to know that new subnet is trusted.

    I still don't have it talking to the internet through the VPN, which is frustrating, but it isn't required for my application so won't prevent our 2.3.x upgrade.