Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC not routing to LAN

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      normaluser99
      last edited by normaluser99

      I have setup an IPSEC VPN server. Connection is successful but can only access WAN and not LAN.

      • Virtual Address Pool is 172.16.0.0 - successfully getting an IP on my iphone

      • DHCP server range is 192.168.7.0

      • I can ping the iphone from the LAN successfully, but not the other way around

      • Firewall IPSEC rule is set to ip4 any to any

      • All WAN traffic goes through VPN successfully, no LAN traffic

      • Local Network set to 0.0.0.0/0 (under mobile clients)

      The only interesting thing i found on the IPSEC log was the following: (-.-.-.- are my public IPs)

      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> SPI 0x0ac300f6, src -.-.-.- dst -.-.-.-
      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> adding outbound ESP SA
      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> SPI 0xc46c79fb, src -.-.-.- dst -.-.-.-
      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> adding inbound ESP SA
      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> using HMAC_SHA2_256_128 for integrity
      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> using AES_CBC for encryption
      Jan 18 11:32:00	charon		12[CHD] <con-mobile|3> CHILD_SA con-mobile{3} state change: CREATED => INSTALLING
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 172.16.0.1/32|/0, received: ::/0|/0 => no match
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> selecting traffic selectors for other:
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 0.0.0.0/0|/0, received: ::/0|/0 => no match
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> selecting traffic selectors for us:
      Jan 18 11:32:00	charon		12[CFG] <con-mobile|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
      

      Don't know what else to check, any ideas?

      1 Reply Last reply Reply Quote 0
      • N
        normaluser99
        last edited by

        ping...any help?

        1 Reply Last reply Reply Quote 0
        • C
          coom
          last edited by

          I never managed to get 0.0.0.0 to work in classic IPSec via pfSense.

          Once this P2 has been declared, pfSense passes ALL traffic through the interface and can no longer route its own LAN networks.

          The solution for me was to use IPSec VTI tunnels which allow to manually manage the routing (no more implicit rules)

          Using IPSec VTI, pfSense create a virtual interface, which greatly simplifies operations (static routing, dynamic / conditional routing, NAT, etc.)

          You can find more informations at https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html ;)

          coom

          1 Reply Last reply Reply Quote 0
          • D
            damanb1
            last edited by

            to route all the traffic though IPsec tunnel please follow the below configuration.

            1. you need firewall Aliases.
              cc7dc5c1-f3f5-4e83-b444-5aa06b44d60a-image.png
              30ea59c5-81e8-4f77-9ee5-213982ae04bc-image.png

            2. you need virtual IP for DNS routing could be any

            bb864545-61b8-4176-a3a5-6875ebf07d2b-image.png

            a02e11a5-0657-4322-b622-a5f6a56ee72f-image.png

            1. Set the above virtual ip as DNS for vpn clients.

            b5851bc7-ecc7-4417-a518-8488912b53ff-image.png

            hope this should work for you.

            Thanks
            Daman

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.