IPSec VPN

taing

I'm having quite a bit of trouble setting up a VPN that is useable by both Windows 10 and Android clients using only native VPN connections from either.

I tried to follow the basic recipe in the doc - https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html#ipsec-remote-access-vpn-example-using-ikev2-with-eap-mschapv2 but have run into several road blocks.

First was the note in the recipe to try the ACME package to install Let's Encrypt certificates - that works just fine EXCEPT the Let's Encrypt certs appear to have the wrong EKU for the job at hand (https://www.reddit.com/r/PFSENSE/comments/6z3ffi/ikev2_vpn_without_self_signed_certificates/). After creating a self-signed CA and cert and installing the certs on the Windows and Android devices things started looking up.

The Windows client connects but only has partial connectivity- some of the machines on the local network are accessible but several are not. For the machines that are accessible either direct IP address or local dns.

For Android both native and Strongswan client connect and have the same partial connectivity.

The only firewall rule I have under the IPSec tab is "pass" for:

Interface: IPSec
Address Family: IPv4
Protocol: any
Source: Any
Destination: Any

There are two local networks - the first has firewall rules to pass all IPv4 traffic to anywhere. The second is more limited in that it passes any traffic to the first network or the IPSec network IP range.

I can reach most of the machines on the first network (except .13, .52 and .93) and none of the machines on the second network.

Ping from the firewall(any interface) to the VPN connected laptop doesn't work either.

I'm not sure where to look. I see nothing in the firewall logs referring to the IPSec interface IP addresses or pings to the second network being dropped.

Suggestions?

viragomann

@taing said in IPSec VPN:

I can reach most of the machines on the first network (except .13, .52 and .93) and none of the machines on the second network.

Can you access these from the respective other local subnet?

taing

@viragomann - Absolutely, for the local wireless or wired I have no issues to these machines - both ping and http.

viragomann

@taing
I cannot think of any setting on pfSense, which could cause this then. Since you can access the device from the other network segment across pfSense, it should work from IPSec as well as long as there is no IP conflict with the clients network.

Maybe the destination device itself blocks the access.
To investigate sniff the traffic on pfSense on the internal interface. You should see the requests directed to the device and responses coming back from it.
If there are requests only check the devices firewall or even the service settings.

taing

@viragomann - the packet sniffing and increasing the log detail for ipsec did the trick - two issues:

1. I had a couple of machines with no gateway defined. This was not an issue for local traffic but creates an issue for the traffic back to the IPSec devices.

2. In all of the testing I had left the Phase 2 local subnet set to just one of the networks. Changing to Network 0.0.0.0/0 did the trick.

Thanks for the pointers.