IPSEC Client Can't Reach Remote Networks



  • Hi everyone

    I have a Windows IPSEC client which is connected to a pfSense box. It can reach hosts on the networks directly connected to the pfSense box. That pfSense box (lets call it site A) also acts an OpenVPN client to another pfSense box in site B.

    [client] <->IPSEC <-> [pfSense site A] <-> [OpenVPN] <-> [pfSense site B] <-> [hosts in site B]

    I would like the IPSEC client connected to site A to be able to reach hosts in site B but the packets don't seem to arrive on site B, even though firewall rules permit the traffic over the IPSEC and OpenVPN interfaces in site A and on the OpenVPN interface in site B. The IPSEC phase 2 sets a local network of 0.0.0.0/0 and the Windows client is manually configured to use the IPSEC VPN server (use default gateway on remote network) as its gateway.

    The pfSense box in site A can reach stuff in site B over that VPN, but my IPSEC client can't. In the OpenVPN client configuration at site A, the networks that my IPSEC client needs to reach are given in the IPv4 Remote Network/s parameter. In the OpenVPN server configuration in site B, the networks that the IPSEC client needs to reach are given in IPv4 Local Network/s and in IPv4 Remote Network/s is the site A IPSEC client network, so I believe it should be fully routable but those packets just don't seem to appear in site B and they're not getting blocked by the firewalls either. I have rules in place to permit the traffic and they're not appearing in the firewall logs as being blocked.

    On pfSense in site A, I can see the packets from the IPSEC client hitting the outbound ovpnc interface but they're not arriving on the ovpns interface in site B. I can see the site B networks in the routing table on pfSense site A. On pfSense site B I can see the IPSEC client network in the routing table. E.g.

    [site a]/root: netstat -rn
    192.168.1.0/24    10.10.0.5          UGS      ovpnc2
    
    [site a]/root: tcpdump -i ovpnc2 src 10.99.100.1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpnc2, link-type NULL (BSD loopback), capture size 65535 bytes
    18:36:00.274197 IP 10.99.100.1 > 192.168.1.10: ICMP echo request, id 1, seq 232, length 40
    18:36:24.072718 IP 10.99.100.1 > 192.168.1.10: ICMP echo request, id 1, seq 233, length 40
    18:36:28.781091 IP 10.99.100.1 > 192.168.1.10: ICMP echo request, id 1, seq 234, length 40
    
    [site b]root/: netstat -rn
    10.99.100.0/30      10.10.0.2          UGS      ovpns2
    
    [site b]/root: tcpdump -i ovpns2 src 10.99.100.1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpns2, link-type NULL (BSD loopback), capture size 65535 bytes
    <tumbleweeds...>
    

    Have I missed something in the routing somewhere?

    I've tried to set up a separate IPSEC VPN, but Windows 10 doesn't appear to support AES128/192/256 as an AuthenticationTransformConstants parameter and pfSense in site B doesn't appear to support AES128/192/256-GCM.



  • OK, so one thing I notice is that not even the pfsense box the Windows client is connected to over IPSEC can ping or traceroute the Windows client on it's VPN address (10.99.100.1) and the Windows client can't ping or traceroute the pfSense box it is VPNed into using addresses on the IPSEC network (10.99.100.0/30).

    The pfSense server has no interface or IP on the 10.99.100.0/30 network. Is that normal? I'm not that experienced with IPSEC or Windows.

    According to ipconfig on the Window client:

    PPP adapter IPSEC VPN:
    
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : IPSEC VPN
      Physical Address. . . . . . . . . :
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 10.99.100.1(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.255
      Default Gateway . . . . . . . . . : 0.0.0.0
      NetBIOS over Tcpip. . . . . . . . : Enabled
    

    Subnet mask of 255.255.255.255 sounds weird considering it's on a /30.

    Nevertheless, my IPSEC client can ping hosts and reach network services on hosts in the same site as the pfSense box it is VPNed into. As I said, I can see traffic hit the pfSense ovpnc interface in site A as it should get routed over OpenVPN to site B, but it never arrives on the site B ovpns interface.

    Both pfSense boxes can ping/reach stuff in the opposite site.

    Is there anything I can post here that will help diagnose why this isn't working? This should work, right?



  • Client is set up as a mobile client if that's relevant.



  • Also tried with two phase 2s. One for the networks in site and another for the networks in site B. Can still ping site A hosts, still no love with reaching site B.



  • I notice that the enc0 interface has an MTU of 1536 and my OpenVPN client interface ovpnc2 has an MTU of 1500, could that be in any way related? Since I haven't set any of those manually, I assume 36 bytes is to accommodate the IPSEC overhead and once they reach the other end of the tunnel they're below 1500...



  • To close the issue, I found that I had a client-specific override that I have no recollection of creating which set the 'IPv4 remote networks' for the OpenVPN client in site A. Adding the IPSEC subnet to it made everything work.

    Hope that helps somebody else.


Log in to reply