IPSec established, no Traffic passing.
-
I was also able to get mobile IPSEC working, no tweaking necessary. I attached a windows 7 machine via the shrewsoft ipsec client and was able to access both the firewall and machines on the lan.
Used the 20100514-2225 iso on an old Pentium III.
-
eazydor, are you trying to connect to pfsense from the same machine that is hosting vm? If that is the case you might need a static route for road warrior traffic to be sent back to vm and not to your default gateway. What interfaces do you have on vm and how are they attached to your net? When you say that tunnel is established how do you know that? From the log that you posted earlier it seems that tunnel is deleted right after it is established.
-
Yes and no.
I tried from the vm-host & iphone to connect.
VMHosts spd's are getting deleted, but the ones from the iphone stays and seems to be correct..
So, i tried to access pfsense's lan ip from the iphone connected to the same network than vmhost, which has 2 bridged interfaces on 1 physical interface. Since bridging is happening on layer2, i don't see the interference..
But still, the routing tip is correct, i din't mentioned that on a mac, you have to priorise connections in order to have automated routing (interface with higher prio gets the lower weight in the routing table).
After all, you are right about the vmhost routing problem, cause my mac keeps trying to connect via lan and not ipsec.
But still, i don't get why my phone can't pass traffic..
I believe to client is connected, because client and pfsense's log says, that iphone established the connection, recieved an ip and spd's are were created..
Btw, thanks for your patience.. -
It's seems to me that your setup is quite complex and it's very likely that you might have missed something somewhere. I would suggest you to setup a bit simpler environment to eliminate some of the complexity.
This is how I test with VM: VM is running on my desktop and has 2 interfaces. First interface shares hosts LAN access (VM has it's own IP on physical network so you can say it's attached to my physical pfSense box LAN). Second interface is host-only so traffic is being passed only between my desktop and VM. I then forward ports 500 and 4500 from WAN on my physical pfSense box (gateway) to virtual machine and try to connect to VPN from iPhone using 3G. Once tunnel is up and running I can access VM and my desktop pc from iPhone. The only thing I need to do is setup a static route on my desktop to pass all traffic coming from iPhone back to VM via host-only network.
You can try to troubleshoot this by running tcpdump on various machines/interfaces and see where traffic is being blocked. You should see ESP traffic coming into VM and TCP traffic leaving VM, then TCP traffic coming and leaving your mac and finally TCP traffic from mac coming into VM and leaving as ESP traffic to your iPhone.
-
i thought too.. adding complexity to ipsec is never a good idea..
but thank you for your setup. i will give it a try..
you see, if you could get traffic over your tunnel, it´s obvious that it´s fixed and works. So i can't lay down until it works and i understood what was going on..
these forum´s are awesome.. even if i couldn't fix the problem, i learn so much here..
-
so you don't connect directly to pfsense's wan interface, you go via nat over the vm-host?
or how do you speak from iphone to pfsense's wan, when you have a host-only connection on that interface.. (host-only= virtual interface?)
-
When using my physical pfSense box I use wan interface but when I am testing with vm I forward IPSec ports to VMs wan interface which is connected to my physical network.
-
allright, to test with 2 independent networks..
but that´s mainly the problem when testing networking-stuff, at least to me.. because a virtualized test-environment is almost always coupled with unforeseen behavior (routing, loopbacks, bridged or virtual interfaces&devices, etc..)
i think, i'm gonna order an alix- or atom-board for testing purposes…
but you see, that´s why i love my job, it´s almost always the fault of humans, in this case, my fault..
anyhow, good to know that this part (spd's) has been fixed..
-
The SPD problem is still present, but maybe not in his specific case.
-
does somebody know where i can monitor the changes regarding this problem?
