Shrew soft, IPSec Mobile issues, connects but cannot PING! Please Help!

bdwyer

On pfSense, ensure you have the Phase 2 Local Network Type set to LAN subnet or whatever network your server resides on.  Also, on the mobile settings list, check the Network List, I do not know why the guides on here say not to do that.

On the Shrewsoft client, make sure you have Policy Generation set to Unique, and Obtain Topology Automatically enabled.

Eventually, you may want to force NAT Traversal on, but wait until you have a stubborn network which you cannot VPN from before you try that.

cakewipe

Hi,
Thanks for the help and sorry for the long delay but I've been working on other projects.
Vorkbaard sent me this reply via IM.
@Vorkbaard:

Hi, I read your post and I had more or less the same problem. I'm sending you a dm so as not to spam the forum as I have already posted a general topic advertising the article I wrote on how I solved this.

If you're interested, here is my solution: https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

Hope it helps!

I followed his instructions and now I am able to see my pfSense server admin console and ping it fine over the vpn but I still can't ping the file server access the URL of the server.

In the instructions he doesn't go into the firewall or the NAT settings very much and I'm wondering if this is my problem.
I went in and opened all ports for IPsec and WAN and LAN but I still cant see the fileserver.

I've made a simple drawing of my setup and I'm hoping someone can help me figure out why I cant see my fileserver.

None of the other replies helped at all and if I can't figure pfsense out then I may need to go to another type of router.  :'(
My setup is really very simple but I can't seam to figure out what I am missing  I am sure it's something simple.

Thanks in advance.

cakewipe

Can nobody help? 
I can access the internet from the server through the pfsense router and can connect to the router through vpn I just can't access the server.

cakewipe

After a TON of reading and trial and error I finally found a setting that allowed me to ping my fileserver.  I've noticed a ton of people have similar issues and nobody seams to help them so I'm hoping this will help someone.

In the forum I stumbled across this post http://forum.pfsense.org/index.php/topic,49289.0.html his network seams much different from mine but I decided to follow the instructions laid out here: http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
I had to setup a Static Route

and I also had to add the LAN IP address as my LAN Gateway

I can now ping just fine but I don't understand why this static route was necessary.  Mine is a simple client connecting to a server through IPSec VPN.  This seams like one of the most basic VPN configurations and something like this wouldn't be necessary. 
Since I've setup this static route my connection has become VERY unstable. 
Is there a better solution someone can think of?

cakewipe

Finally after much trial and error, I decided to pay the $600 for support to figure out why I couldn't access my server without a static route.  It turns out my default gateway on my server got reset to 0.0.0.0.  I know this is a stupid error but I did set it up before. It took many hours to figure out and I hope this can help someone else.  I could see the server through a cisco vpn with the same settings so I didn't think it could be a setting on the Server itself.

With their help, I was able to configure my vpn to be accessible through Shrewsoft (windows), IOS and Android devices.  I am trying to document the settings I used but in the meantime if anyone needs help with the same thing ping me and I can send you the settings I have.

Thanks to chris and jim for your help.

jimp

As an additional note, the reason it was working with the static route wasn't because of the static route, but because you had the LAN "gateway" set on the LAN interface page, which caused it to apply outbound NAT to the traffic leaving the LAN interface. Due to the outbound NAT, the traffic leaving that interface appeared to come from the firewall itself, so it returned OK since your server believed it originated from within its own subnet.

Kind of a tricky one, surely.

sslinfotech

@cakewipe:

Finally after much trial and error, I decided to pay the $600 for support to figure out why I couldn't access my server without a static route.  It turns out my default gateway on my server got reset to 0.0.0.0.  I know this is a stupid error but I did set it up before. It took many hours to figure out and I hope this can help someone else.  I could see the server through a cisco vpn with the same settings so I didn't think it could be a setting on the Server itself.

With their help, I was able to configure my vpn to be accessible through Shrewsoft (windows), IOS and Android devices.  I am trying to document the settings I used but in the meantime if anyone needs help with the same thing ping me and I can send you the settings I have.

Thanks to chris and jim for your help.

Can you send me the configuration details…pls...ssl3004@yahoo.com

thanks

cakewipe

Can you send me the configuration details…pls...ssl3004@yahoo.com

thanks

Sent to ssl3004@yahoo.com

cakewipe

I have added my documentation to google docs so anyone can see it.

Here is the link for pfSense Router settings
https://docs.google.com/file/d/0B2zOOBoh3isOSmtYakVEc3ZNWDA/edit?usp=sharing

Here is the link for Shrewsoft, Android, iOS Clients.
https://docs.google.com/document/d/1Pl21sk7ckU6dSqgxtXu6iNIv8-60bv7AFFVUQwdJ_WE/edit?usp=sharing

Please leave comments if this is helpful so I will know not to remove the documents from my share.

les_garten

@cakewipe:

I have added my documentation to google docs so anyone can see it.

Here is the link for pfSense Router settings
https://docs.google.com/file/d/0B2zOOBoh3isOSmtYakVEc3ZNWDA/edit?usp=sharing

Here is the link for Shrewsoft, Android, iOS Clients.
https://docs.google.com/document/d/1Pl21sk7ckU6dSqgxtXu6iNIv8-60bv7AFFVUQwdJ_WE/edit?usp=sharing

Please leave comments if this is helpful so I will know not to remove the documents from my share.

Hello Cakewipe,
    Thanx for your work here.  I am having a similar problem you had.  When the client connects, there is no route handed to the client according to ipconfig on the windows box.

I see not route to that network on the pfsense box.

So looking over your doc above it looks like you are still using the static route, is that true?

Did you have to use PSK-Xauth?  It wouldn't work with just PSK?

I looked over your doc