IPSEC not routing to LAN



  • I have setup an IPSEC VPN server. Connection is successful but can only access WAN and not LAN.

    • Virtual Address Pool is 172.16.0.0 - successfully getting an IP on my iphone

    • DHCP server range is 192.168.7.0

    • I can ping the iphone from the LAN successfully, but not the other way around

    • Firewall IPSEC rule is set to ip4 any to any

    • All WAN traffic goes through VPN successfully, no LAN traffic

    • Local Network set to 0.0.0.0/0 (under mobile clients)

    The only interesting thing i found on the IPSEC log was the following: (-.-.-.- are my public IPs)

    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> SPI 0x0ac300f6, src -.-.-.- dst -.-.-.-
    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> adding outbound ESP SA
    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> SPI 0xc46c79fb, src -.-.-.- dst -.-.-.-
    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> adding inbound ESP SA
    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> using HMAC_SHA2_256_128 for integrity
    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> using AES_CBC for encryption
    Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> CHILD_SA con-mobile{3} state change: CREATED => INSTALLING
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 172.16.0.1/32|/0, received: ::/0|/0 => no match
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> selecting traffic selectors for other:
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 0.0.0.0/0|/0, received: ::/0|/0 => no match
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> selecting traffic selectors for us:
    Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
    

    Don't know what else to check, any ideas?



  • ping...any help?



  • I never managed to get 0.0.0.0 to work in classic IPSec via pfSense.

    Once this P2 has been declared, pfSense passes ALL traffic through the interface and can no longer route its own LAN networks.

    The solution for me was to use IPSec VTI tunnels which allow to manually manage the routing (no more implicit rules)

    Using IPSec VTI, pfSense create a virtual interface, which greatly simplifies operations (static routing, dynamic / conditional routing, NAT, etc.)

    You can find more informations at https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html ;)

    coom



  • to route all the traffic though IPsec tunnel please follow the below configuration.

    1. you need firewall Aliases.
      cc7dc5c1-f3f5-4e83-b444-5aa06b44d60a-image.png
      30ea59c5-81e8-4f77-9ee5-213982ae04bc-image.png

    2. you need virtual IP for DNS routing could be any

    bb864545-61b8-4176-a3a5-6875ebf07d2b-image.png

    a02e11a5-0657-4322-b622-a5f6a56ee72f-image.png

    1. Set the above virtual ip as DNS for vpn clients.

    b5851bc7-ecc7-4417-a518-8488912b53ff-image.png

    hope this should work for you.

    Thanks
    Daman


Log in to reply