IKE/IPsec issues after using AWS wizard

flowjo-mike

I am having very strange issues that I am stuck on… I had a working IKE/IPsec vpn so employees could access the LAN offsite by following this doc:

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

My LAN is a /23, our servers are on 192.168.10.0, DHCP clients are using 192.168.11.0 and the VPN network is 192.168.100.0/24. The only issue I had was resolving DNS on the LAN, but I could add DNS to the client computers active interface to work around that issue.

We ran through the AWS VPN wizard and got vpn from our office to AWS setup very easily. Later that day, VPN clients reported they could no longer reach anything on the 192.168.10.0 network. Here is where it get's odd... Once I connect to VPN from offsite, I can ping anything on 192.168.11.0. When I try to ping something on 192.168.10.0, I don't get a response from any of our VM's... but if I ping a physical machine, I get the first reply back and the rest timeout. Also, I can RDP to a Windows vm on the 192.168.10.0 network just fine.

If I connect to the vpn from within our LAN, everything works.

I though the AWS tunnel broke something, so I reverted back to a config before the AWS vpn was added... But I am still stuck with the same issue. I rebooted the pfsense last night hoping something stuck, but still same problem.

I have attached screenshots of the routing table and IPsec firewall rule. I also included the log entry when trying to ping a machine (VM), I can see it passing through the firewall. I feel like this is a routing issue but I don't see how that could change.

Edit: I removed this post because I thought someone made a network change, but that wasn't the issue so I am back...

Edit 2: We have a xenserver and most vms won't respond to ping from VPN, but some do... There doesn't seem to be any rhyme or reason to what is working over vpn and what isn't. Again, some vms just reply with one ping:

PING 192.168.10.28 (192.168.10.28): 56 data bytes
64 bytes from 192.168.10.28: icmp_seq=0 ttl=63 time=392.026 ms
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4

![Screen Shot 2016-09-27 at 10.13.47 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.13.47 AM.png)
![Screen Shot 2016-09-27 at 10.13.47 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.13.47 AM.png_thumb)
![Screen Shot 2016-09-27 at 10.14.05 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.14.05 AM.png)
![Screen Shot 2016-09-27 at 10.14.05 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.14.05 AM.png_thumb)
![Screen Shot 2016-09-27 at 10.24.26 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.24.26 AM.png)
![Screen Shot 2016-09-27 at 10.24.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.24.26 AM.png_thumb)
![Screen Shot 2016-09-27 at 10.25.30 AM.png](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.25.30 AM.png)
![Screen Shot 2016-09-27 at 10.25.30 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-27 at 10.25.30 AM.png_thumb)

Derelict

My LAN is a /23, our servers are on 192.168.10.0, DHCP clients are using 192.168.11.0 and the VPN network is 192.168.100.0/24.

Why is there a route for the "VPN Network" 192.168.100.0/24 on igb2?

flowjo-mike

That was left over from trying to get DNS working over vpn, so I removed the gateway/route.

The issue however was the VM's on Xenserver. After rebooting them, they are now able to be accessed from the VPN. I have no idea what happened, but likely not the fault of the AWS tunnel. I will keep this post in case the problem comes back when we recreate the AWS tunnel.