Mobile IPSec clients cannot see Site To Site IPSec LAN
-
Hi,
I have a network with two locations. Site A and Site B are connected via an ipsec tunnel.
Mobile VPN users connect to an IKEv2 VPN I've set up on Site A's PFSense. They can see Site A's network no problem, but not Site B's.
Any help would be appreciated. Thanks!
Site A LAN: 10.5.0.0/16
Site B LAN: 10.6.0.0/16
Mobile VPN: 172.16.10.0/24 -
What traffic selectors (phase 2 networks) are configured?
-
What traffic selectors (phase 2 networks) are configured?
https://photos.app.goo.gl/ffnADHYAmHRnZZ7l1
I tried adding 10.6.0.0/16 under BNAT for Mobile's P2, that didn't work. I also tried adding a 2nd P2 entry with the network address of 10.6.0.0/16.
The Windows clients are set to gateway all traffic through the VPN, so routing on that end shouldn't be an issue.
Not sure if it matters but here's a log snippet showing no traffic selectors?
Dec 21 19:17:43 charon 07[CFG] <con1|14> selecting traffic selectors for other: Dec 21 19:17:43 charon 07[CFG] <con1|14> config: 10.5.0.0/16|/0, received: 0.0.0.0/0|/0 => match: 10.5.0.0/16|/0 Dec 21 19:17:43 charon 07[CFG] <con1|14> selecting traffic selectors for us: Dec 21 19:17:43 charon 07[CFG] <con1|14> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ</con1|14></con1|14></con1|14></con1|14> -
You need a phase 2 between sites A and B for
Site A
Local 172.16.10.0/24
Remote 10.6.0.0/16Site B
Local 10.6.0.0/16
Remote 172.16.10.0/24And, of course, firewall rules must pass the traffic.
-
You need a phase 2 between sites A and B for
Site A
Local 172.16.10.0/24
Remote 10.6.0.0/16Site B
Local 10.6.0.0/16
Remote 172.16.10.0/24Added, no result. Is this in addition to anything else I've already tried above? (I've of course reverted back whatever changes I tried in the original post).
And, of course, firewall rules must pass the traffic.
Sorry for being dense, but where am I adding these rules? To the IPSec interface on both sides? LAN on both sides? Do I need a route on the client's computer to send 10.6.0.0/16 over the VPN?
Thanks for the help btw, it's appreciated. I'm used to old-school command line stuff and I'm having a little trouble translating that to this interface. I know I need traffic to route from the client PC to Site A FW, and rules need to be set up to pass that traffic both to site B, but also the return..
-
firewall rules go on the interfaces the traffic arrives into. So connections from IPsec go on the IPsec tab.
You'll have to post rues, IPsec settings etc. Hard to say what you have done wrong.
-
firewall rules go on the interfaces the traffic arrives into. So connections from IPsec go on the IPsec tab.
You'll have to post rues, IPsec settings etc. Hard to say what you have done wrong.
Hello, and Happy New Year. Sorry for the late reply, but, Christmas break and all..
Anyway just wanted to say that you pointed me in the right direction and was able to solve the problem. Many thanks!
For those ending up here after searching for the same problem, here's how I resolved it based on Derelict's input. He may want to change some of the below however this is working for me now.
If there is a Site to Site (S2S) VPN tunnel in place between, say, between Head Office (Site "A"), and a Branch Office (Site "B"), and you want your Mobile Clients to be able to connect to Site "A" remotely and see Site "B" you need to perform the additional setup:
The idea here is that you need to take the traffic from the Mobile VPN client, that is destined for Site B's network, and:
- Tell Mobile Client's routing to pass Site B's LAN addresses over VPN.
- Hand it off to Site A's local LAN (Mobile Phase 2 entry on Site A)
- Site A's LAN's firewall needs to allow it, NATting the traffic to Site B's network. (IPsec firewall tab on Site A).
- Site A's LAN passes it along to Site A's VPN Tunnel (S2S VPN Phase 2 entry on Site A)
- Site B's VPN Tunnel passes it long to Site B's local LAN. (S2S VPN Phase 2 entry on Site B)
In this example, we will use the following data:
Mobile VPN client network: 172.16.10.0/24
Site A local LAN network: 10.5.0.0/16
Site B local LAN network: 10.6.0.0/16- SITE A: Additional Phase 2: Mobile Clients
- Navigate to VPN -> IPsec
- On the "Tunnels" tab, click "Show Phase 2" entries under "Mobile Clients".
- Create a new Phase 2 entry with the following settings:
o Mode: Tunnel IPv4
o Local Network: 10.6.0.0/16
o Description: Whatever you want. EG: Sales Office LAN
o Protocol: ESP
o Encryption Algorithms: AES 256 bits
o Hash Algorithms: SHA1, SHA256, SHA384, SHA512
o The rest is default.
o Save and Apply.
- SITE A: Additional Phase 2: S2S VPN
- Add a new Phase 2 entry under your existing S2S VPN as follows:
o Mode: Tunnel IPv4
o Local Network: Your Mobile VPN Network (EG: 172.16.10.0/24)
o Remote Network: Your Site B LAN Network (EG: 10.6.0.0/16)
o Encryption Algorithms: AES 256 bits
o Hash Algorithms: SHA1
o The rest is default.
o Save and Apply.
- SITE A: Firewall Rules
- Go to Firewall -> Rules, IPsec Tab
- Add a new rule below the existing one with the following settings:
o Interface: IPsec
o Address Family: IPv4
o Protocol: Any
o Source: Network, your Mobile VPN Network (EG: 172.16.10.0/24)
o Destination: Network, Your Site B LAN Network (EG: 10.6.0.0/16)
o Save and Apply.
- SITE B: Additional Phase 2: S2S VPN
- Add a new Phase 2 entry under your existing S2S VPN as follows:
o Mode: Tunnel IPv4
o Local Network: Your Site B LAN Network (EG: 10.6.0.0/16)
o Remote Network: Your Mobile VPN Network (EG: 172.16.10.0/24)
o Encryption Algorithms: AES 256 bits
o Hash Algorithms: SHA1
o The rest is default.
o Save and Apply.
- Mobile Client Setup
You will need to tell your mobile client's OS to pass Site B's LAN traffic over your VPN connection. I will cover Windows 10 for this.
Open a privileged Power Shell and:
Add-VpnConnectionRoute -ConnectionName "PRP" -DestinationPrefix 10.6.0.0/16 -PassThru
