cisco anyconnect connection issue with openvpn client connection

alfromindiana · Nov 25, 2020, 2:50 PM

Hi! I'm running into an issue where a osx client on the LAN network can't connect to a VPN server using Cisco Anyconnect only AFTER the pfsense (2.4.5) FW has connected to a AirVPN server. The OSX LAN client can access the internet fine after the pfsense FW has established a AirVPN connection but for some reason the Cisco Anyconnect vpn isn't working on the osx client.

This setup worked fine on a ASUS wifi router setup until we stepped it up to using Pfsense.

viragomann · Nov 25, 2020, 3:42 PM

Propably you route the Anyconnect VPN over the OpenVPN or the DNS requests and the hostname cannot be resolved.

alfromindiana · Nov 25, 2020, 7:46 PM

"Propably you route the Anyconnect VPN over the OpenVPN "
Thats what I want to do to mask my ip address

viragomann · Nov 25, 2020, 7:53 PM

But possibly that VPN IP is blocked on the Cisco VPN server.
VPN service providers for instance are blocked on some web services.

johnpoz · Nov 25, 2020, 8:10 PM

Cisco anyconnect - would normally be your work place.. I can not think of another service that would be using that?

So you want to hide your IP from your work place??

Never a good idea to tunnel inside a tunnel from a performance standpoint...

Users love to shoot themselves in the foot doing crazy shit - that is for sure..

alfromindiana · Nov 25, 2020, 8:36 PM

Im using the same airvpn server. The performance is fine...it worked previously on a ASUS router that why I'm curious as to why its wrking on pfsense

johnpoz · Nov 25, 2020, 8:44 PM

And what is your anyconnect server using? Ipsec or DTLS?

As to performance being fine - doesn't mean its not taking a hit, not causing extra retrans, etc. etc. Didn't say it wouldn't work - but seems utterly pointless to hide your IP from your work place.. Unless your workplace thinks your working from home, and you want to work from elsewhere ;)

Going through a vpn connection would for sure mean a different nat if not a double nat. With dtls you would have 2 different tunnels one being tls, and the other being over 443 via UDP, etc.

alfromindiana · Nov 26, 2020, 1:23 AM

I never said it was to hide my IP from workplace :)
I think its using ipsec

johnpoz · Nov 26, 2020, 1:47 AM

What is the point of running an encrypted tunnel through another encrypted tunnel - if you don't care about hiding the source IP from the destination IP.

Not like your ISP can see what your sending down the vpn..

Your shooting yourself in the foot for why??