Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN connects from iOS, but does not route traffic

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paul1923
      last edited by

      Hi,

      I've followed the guide at https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html and I've setup a IPSEC IKEv2 VPN.

      However, I can't access anything on the local LAN.

      Strangely enough, I can ping my iPhone from the LAN, but the iPhone can't reach any LAN device.

      I've tried to setup a route, but that gets me no where, conflicting with the existing route.

      Thanks

      P

      P 1 Reply Last reply Reply Quote 0
      • P
        paul1923 @paul1923
        last edited by paul1923

        So I've been able to progress this. Turns out some network changes from swapping out my old router caused the bulk of the problems, I can now see a webpage remotely over the VPN.

        However, I can't seem to RDP to my windows server.

        I've tried various combinations of firewall rules and that's getting me no where.

        P 1 Reply Last reply Reply Quote 0
        • P
          paul1923 @paul1923
          last edited by

          A further update, my tests so far have been from an iPhone with an IPv6 address.

          As a VPN client, it's getting strange results. http and https traffic seems to route fine, but anything else fails.

          When I hot-spotted my iPad and used it as a VPN client, everything worked fine. The only difference, my iPad received a class B private ipv4 address with a /28 subnet.

          My iPhone get ipv6 address from my service provider.

          Interestingly, the ip address that is set under VPN / Mobile Clients does not seem to honour the subnet. For example, I've set 10.10.40.0 as the network address and 24 as the subnet. However, My ipad has ignored that subnet and has run with a /8 subnet, ie: 255.0.0.0

          D 1 Reply Last reply Reply Quote 0
          • D
            dognose @paul1923
            last edited by dognose

            We've enountered a lot of Issues with VPN on iOS devices.

            A core-point is Apple's DNS-Privacy: When connected to a wifi, apple by default is ignoring the assigned dns servers (and therefore any dns assigned by the tunnel) and instead is using the apple cloud dns, "to protect your privacy" (at least that's the reason they claim)

            You can set the dns-server for a particular wifi to manual to resolve this. Just becomes very unhandy, if you have hundrets of clients dealing with that "feature".


            Your observation about the IPV6 / IPV4 difference might be the problem:

            Your iPhones provider is using IPV6, and your ipv4-connection is then only an ipv4 over ipv6 tunnel (In our country referred to as "Dual-Stack-Lite / DS-Lite").

            Here you'll have limits on the usable ports - depending on the provider. He might have decided, that a common user needs to use port 80 and 443, therefore created the proper rules for that, but everything else well not be forwarded.

            (Your Phone would be the router here, IPV4 only over nat'd IPV6)
            8ac39221-c653-4377-8ab2-11c2e88ca251-image.png

            Your best option here would be to make your vpn-server ipv6 capable , OR (that's what we did): Use Port 143 - that's IMAPS - nobody is using imap nowadays, but that port is most likely served by your isp.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.