Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IKE/IPsec issues after using AWS wizard

    IPsec
    2
    3
    1008
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      flowjo-mike last edited by

      I am having very strange issues that I am stuck on… I had a working IKE/IPsec vpn so employees could access the LAN offsite by following this doc:

      https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

      My LAN is a /23,  our servers are on 192.168.10.0, DHCP clients are using 192.168.11.0 and the VPN network is 192.168.100.0/24.  The only issue I had was resolving DNS on the LAN, but I could add DNS to the client computers active interface to work around that issue.

      We ran through the AWS VPN wizard and got vpn from our office to AWS setup very easily.  Later that day, VPN clients reported they could no longer reach anything on the 192.168.10.0 network.  Here is where it get's odd... Once I connect to VPN from offsite, I can ping anything on 192.168.11.0. When I try to ping something on 192.168.10.0, I don't get a response from any of our VM's... but if I ping a physical machine, I get the first reply back and the rest timeout.  Also, I can RDP to a Windows vm on the 192.168.10.0 network just fine.

      If I connect to the vpn from within our LAN, everything works.

      I though the AWS tunnel broke something, so I reverted back to a config before the AWS vpn was added... But I am still stuck with the same issue.  I rebooted the pfsense last night hoping something stuck, but still same problem.

      I have attached screenshots of the routing table and IPsec firewall rule.  I also included the log entry when trying to ping a machine (VM), I can see it passing through the firewall.  I feel like this is a routing issue but I don't see how that could change.

      Edit:  I removed this post because I thought someone made a network change, but that wasn't the issue so I am back...

      Edit 2: We have a xenserver and most vms won't respond to ping from VPN, but some do... There doesn't seem to be any rhyme or reason to what is working over vpn and what isn't.  Again, some vms just reply with one ping:

      PING 192.168.10.28 (192.168.10.28): 56 data bytes
      64 bytes from 192.168.10.28: icmp_seq=0 ttl=63 time=392.026 ms
      Request timeout for icmp_seq 1
      Request timeout for icmp_seq 2
      Request timeout for icmp_seq 3
      Request timeout for icmp_seq 4

      ![Screen Shot 2016-09-27 at 10.13.47 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.13.47 AM.png)
      ![Screen Shot 2016-09-27 at 10.13.47 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.13.47 AM.png_thumb)
      ![Screen Shot 2016-09-27 at 10.14.05 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.14.05 AM.png)
      ![Screen Shot 2016-09-27 at 10.14.05 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.14.05 AM.png_thumb)
      ![Screen Shot 2016-09-27 at 10.24.26 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.24.26 AM.png)
      ![Screen Shot 2016-09-27 at 10.24.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.24.26 AM.png_thumb)
      ![Screen Shot 2016-09-27 at 10.25.30 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.25.30 AM.png)
      ![Screen Shot 2016-09-27 at 10.25.30 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.25.30 AM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        My LAN is a /23,  our servers are on 192.168.10.0, DHCP clients are using 192.168.11.0 and the VPN network is 192.168.100.0/24.

        Why is there a route for the "VPN Network" 192.168.100.0/24 on igb2?

        1 Reply Last reply Reply Quote 0
        • F
          flowjo-mike last edited by

          That was left over from trying to get DNS working over vpn, so I removed the gateway/route.

          The issue however was the VM's on Xenserver.  After rebooting them, they are now able to be accessed from the VPN.  I have no idea what happened, but likely not the fault of the AWS tunnel.  I will keep this post in case the problem comes back when we recreate the AWS tunnel.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy