Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    local subnets behind firewall not reachable when routing all mobile client traffic through VPN gateway

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 122 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shpokas
      last edited by shpokas

      Hi,
      I have almost wrenched my brains out to understand why this happens.
      IPSec mobile clients can connect and reach internal networks until I set Phase 2 config to 0.0.0.0/0.
      When I do that then all internet traffic from mobile client indeed goes to internet through VPN gateway, verified by, for example, pinging and tracerouting address 1.1.1.1.
      However, mobile client cannot reach internal servers anymore, including DNS server.
      I did traffic captures and on enc0 interface I see icmp packets being sent from mobile client to the internal server and also icmp replies going back

      tcpdump -nn -i enc0 host 10.17.1.1 and icmp
...
21:49:49.196272 (authentic,confidential): SPI 0xc875b54c: IP 10.17.1.1 > 192.168.17.17: ICMP echo request, id 53257, seq 46, length 64
21:49:49.196537 (authentic,confidential): SPI 0xc132342e: IP 192.168.17.17 > 10.17.1.1: ICMP echo reply, id 53257, seq 46, length 64
21:49:50.192660 (authentic,confidential): SPI 0xc875b54c: IP 10.17.1.1 > 192.168.17.17: ICMP echo request, id 53257, seq 47, length 64
21:49:50.192942 (authentic,confidential): SPI 0xc132342e: IP 192.168.17.17 > 10.17.1.1: ICMP echo reply, id 53257, seq 47, length 64

      but on wan interface I tried this capture but I see only traffic from client to server and nothing is coming back

      tcpdump -nn -i mvneta2 port ipsec-nat-t 
...
21:52:06.194017 IP CLIENT_EXT_IP.ipsec-nat-t > VPN_GATEWAY_EXT_IP.ipsec-nat-t: UDP-encap: ESP(spi=0xc875b54c,seq=0x16c), length 104
21:52:06.194074 IP CLIENT_EXT_IP.ipsec-nat-t > VPN_GATEWAY_EXT_IP.ipsec-nat-t: UDP-encap: ESP(spi=0xc875b54c,seq=0x16d), length 112
21:52:06.194108 IP CLIENT_EXT_IP.ipsec-nat-t > VPN_GATEWAY_EXT_IP.ipsec-nat-t: UDP-encap: ESP(spi=0xc875b54c,seq=0x16e), length 104
21:52:06.194140 IP CLIENT_EXT_IP.ipsec-nat-t > VPN_GATEWAY_EXT_IP.ipsec-nat-t: UDP-encap: ESP(spi=0xc875b54c,seq=0x16f), length 96
21:52:06.194169 IP CLIENT_EXT_IP.ipsec-nat-t > VPN_GATEWAY_EXT_IP.ipsec-nat-t: UDP-encap: ESP(spi=0xc875b54c,seq=0x170), length 104
21:52:06.197596 IP CLIENT_EXT_IP.ipsec-nat-t > VPN_GATEWAY_EXT_IP.ipsec-nat-t: UDP-encap: ESP(spi=0xc875b54c,seq=0x171), length 104

      Please help! 🙏🏻
      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.