IpSec: remote subnet field non existing



  • I have created an IKEv2 VPN, and I can get authentication from a win10 client without problems. However, I cannot access any hosts on the LAN, and the subnet of the client tells me 255.255.255.255 whereas it should be 255.255.0.0.

    The PfSense manual says (in the phase-2 chapter) that I should set the remote subnet: "Remote Network: This defines which subnet or host to be accessed on the other end of the tunnel. As mentioned in the previous item, it is paramount that this is set this exactly like the other end's "local subnet" section. If not, phase 2 of the VPN connection will fail and traffic will not pass from one VPN segment to the other".

    However, I do not seem to have any such option ("remote network") in my Phase 2 config page. What might be the problem?


  • LAYER 8 Netgate

    Are you unable to access the server side LAN from the remote access client or are you trying to access a LAN on the remote access client side?

    he PfSense manual says (in the phase-2 chapter) that I should set the remote subnet: "Remote Network: This defines which subnet or host to be accessed on the other end of the tunnel.

    That is for site-to-site VPNs, not Remote Access VPNs.



  • Thank you for your immediate help! I am simply trying to access the LAN from an external remote client.


  • LAYER 8 Netgate

    That is the local subnet in your mobile client phase 2. It is local from the perspective of the server you are configuring.

    Check the rules on your Firewall > Rules, IPsec tab.



  • On IpSec Rules I have one single rule: Pass on any to any with any protocol.



  • I am not sure whether this means anything, but the log contains lots of messages such as:

    08[IKE] <con1|5>received message ID 129, expected 130\. Ignored</con1|5> 
    

    ![Screenshot 2015-06-01 18.30.30.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-01 18.30.30.png_thumb)
    ![Screenshot 2015-06-01 18.30.30.png](/public/imported_attachments/1/Screenshot 2015-06-01 18.30.30.png)



  • In the client config, I set 10.10.14.1/16 which should result in a subnet of 255.0.0.0. However, the windows IKE client adapter says that the subnet is 255.255.255.255. My conclusion is that the remote client is on a wrong subnet, and therefore cannot see the hosts on the LAN. How can I fix that?


  • LAYER 8 Netgate

    @aagaag:

    In the client config, I set 10.10.14.1/16 which should result in a subnet of 255.0.0.0. However, the windows IKE client adapter says that the subnet is 255.255.255.255. My conclusion is that the remote client is on a wrong subnet, and therefore cannot see the hosts on the LAN. How can I fix that?

    Actually, /16 is 255.255.0.0, not 255.0.0.0. And that just determines the pool size. Clients get a /32. It's not a broadcast link. It's more like point-to-point.

    You are going to have to post far more information for anyone to be able to help you figure out what you did wrong. Like, for instance, what is your LAN subnet?



  • dear "derelict", thank you so much for helping me here. I am a medical doctor by training, and I am supposedly good at what I do - but networking is definitively way off my comfort zone. Hence I am very appreciative!

    I have a Windows Server at IP (static) 10.10.10.2 running a DHCP and a DNS server (also 10.10.10.2 of course). The PfSense is running on a Hyper-V VM with address 10.10.10.1. The WAN side is dynamic. I am including a screenshot of the server adapter details as they are detected by windows.

    ![Screenshot 2016-08-13 19.55.45.png_thumb](/public/imported_attachments/1/Screenshot 2016-08-13 19.55.45.png_thumb)
    ![Screenshot 2016-08-13 19.55.45.png](/public/imported_attachments/1/Screenshot 2016-08-13 19.55.45.png)



  • and here are screenshots from my PfSense config:

    ![Screenshot 2016-08-13 20.05.58.png_thumb](/public/imported_attachments/1/Screenshot 2016-08-13 20.05.58.png_thumb)
    ![Screenshot 2016-08-13 20.05.58.png](/public/imported_attachments/1/Screenshot 2016-08-13 20.05.58.png)
    ![Screenshot 2016-08-13 20.09.33.png_thumb](/public/imported_attachments/1/Screenshot 2016-08-13 20.09.33.png_thumb)
    ![Screenshot 2016-08-13 20.09.33.png](/public/imported_attachments/1/Screenshot 2016-08-13 20.09.33.png)


  • LAYER 8 Netgate

    What is the subnet mask on your LAN?

    My first suggestion is to change the subnet mask on your IPsec mobile Virtual Address Pool to /24 but that really depends on the subnet of your LAN as to whether that will actually fix it.

    You could just change the Virtual Address Pool to something like 172.19.241.0/24 and probably fix it, regardless.


Log in to reply