IPSec - Shrew Client to pfsense then through tunnel….

santinelli

Hi Folks, I was hoping someone can help me.

I currently have a ipsec tunnel between 2 offices.  One a netgear box and the other a pfsense box.  Tunnel works great and the 2 networks see each other fine.

I've installed the shrew client at home, and can connect into the pfsense box and network just fine.  I CANNOT see across the tunnel to the other office though.

I followed HackTheory's notes on setting up shrew and like I said, that seems to be working great.  Just can't get across the tunnel to my .57 network…

Thanks for any assistance you can provide!

Steve

santinelli

A bit more information….  VPN Client shrew, pfsense version 1.2.3

I'm thinking, maybe some sort of route?  I know when I was working with my old cisco, I had to setup a rule to allow the client to hit other networks....

Thanks

jimp

The way IPsec works, traffic has to exactly match the Phase 2 settings (local and remote subnet) for the IPsec tunnel, or traffic cannot enter the tunnel.

The only way to see the Netgear subnet from the Shrew client would be to have a second phase 2 definition that covers the path between those two networks.

That isn't easily doable on pfSense 1.2.3 (works great on 2.0), and may be impossible on the Netgear.

santinelli

Thank you for the reply jimp, I greatly appreciate it.  I'll check out the 2.0 and see if it will work.

Thanks again!

Steve

@jimp:

The way IPsec works, traffic has to exactly match the Phase 2 settings (local and remote subnet) for the IPsec tunnel, or traffic cannot enter the tunnel.

The only way to see the Netgear subnet from the Shrew client would be to have a second phase 2 definition that covers the path between those two networks.

That isn't easily doable on pfSense 1.2.3 (works great on 2.0), and may be impossible on the Netgear.

jmarquez

Good evening.

I have the same problem.
I'm using pfSense 2.0 RC3 and Shrew soft vpn cliente version 2.1.7
I have a ipsec site-to-site tunnel working fine and a road warrior connected to one of the ends.

I don't really know which phase2 should match. I mean, should I change phase2 for the tunnel or phase2 for Mobile clients?.
Also, should the change be applied in both ends of the site-to-site?

This is my IPSec config:

pfSense on Site A:
IP: 10.0.10.1/24
tunnel: LAN -> 192.168.5.0/24

pfSense on Site B:
IP: 192.168.5.1/24
tunnel: LAN -> 10.0.10.0/24

Shrew client:
IP: 192.168.111.5/24

Thank you very much indeed.
Jesus

jimp

The phase 2 entries for the site-to-site tunnel have to match/include the mobile clients, so that both ends of the site-to-site tunnel know that the mobile client traffic is OK.

jmarquez

Hi.

Thank you very much for your help.

I have created the tunnel and everything seems to be okay until it stops working with no reason.
Having a look at other threads of this forum, it seems to get back to work when the racoon service is restarted.

In other posts it is suggested to check the option "System -> Advanced -> Miscellaneous -> Prefer older IPsec SAs" but in the end I have to reboot racoon service.

Any help appreciated

Thank you very much.