IPSec Mobile client internet access
-
Hello,
i have setup a IKEv2 mobile ipsec for windows client and is working fine.
The problem is that once connected, windows does not have internet. Reaching the subnet LAN on pfSense is working.Now i saw that in order to accomplish that needs to have a local network of 0.0.0.0/0 on P2.
The problem is that i cannot set this value because i get the error "Phase2 with this Local Network is already defined for mobile clients."
i really don't understand what is the issue.
thanks
-
Try just sending the pfsense subnet to the Windows client. So if the subnet behind pfsense if 192.168.XX.XX/24, use that instead of 0.0.0.0/0 in the Local Network Address section. This is what they call Split-tunneling. Giving mobile clients 0.0.0.0/0 means all their traffic is routed to the VPN which would cause the Internet on the client to go down if the firewall rule isnt applied properly in pfsense
-
@hzrnbgy Well, i tried your suggestions but did not work because is the same as setting on "Local Network" = "LAN subnet" instead of "Network" like shown on the screenshot.
-
Are you using Windows built-in IPSec VPN client? If so, you should not use Tunnel Mode IPSec since that is more suited for site-to-site VPN. Your use case if more of Transport Mode IPSec.
-
@hzrnbgy yes, i'm using the builtin Windows Client VPN. Still, even in trasport mode does not work. Cannot even reach the LAN network.
-
@albgen said in IPSec Mobile client internet access:
0.0.0.0/0 on P2.
on previous version of pfSense, entering this subnet was working.
Why did they changed by not allowing to eneter that subnet? -
Do you mind posting your P1 and P2 configuration so we can try work out the settings? You can remove personal info such as IPs and passwords
-
Phase1
Phase2
Mobile Client section