Got tunnel, now the routing…


  • I have a brand new 2.0.1 pfsense, currently it's in a test environment.
    I'm now trying to setup an IPsec host-to-network (mobile warrior) VPN, with another machine on a separate LAN.
    OSX 10.6.8  with VPN Tracker 5.

    Establishing the tunnel works great, but I'm unable to access or ping any address on the network, including pfsense.

    Setup:
    Network:  192.168.1.0 / 24
    VPN client network: 192.168.8.0/24
    VPN client LAN IP: 192.168.8.55

    relevant pfsense settings:
    IPsec phase 1 My identifier:  My IP address
        NAT Traversal enabled
    IPsec phase 2  Tunnels:
        Mode: tunnel
        Local Network: Type: Network
        Address: 192.168.1.0/24
    Mobile clients: Client Configuration:
      Virtual Address Pool: enabled, network 192.168.1.0/24

    Firewall has IPsec allowed for any/any

    Relevant VPN client settings
        Local Address:  77.77.77.77
        Remote Network: 192.168.1.0 / 255.255.255.0

    In pfsense's IPsec log all the references are to the public IP addresses of both WANs, except at the end:
      no policy found, try to generate the policy: 77.77.77.77/32[0] 192.168.1.0/24[0]
    Then it ends with
        IPsec-SA established: ESP 74.112.151.148[500]->74.89.151.50[500] spi=….

    Interesting entries from the VPN client log:
    21:34:25 Phase 1 Finished
    21:34:25 Next step: Processing vpntrackerd connection request
    21:34:25 Next step: Finishing Phase 1
    21:34:25 Next step: Creating policies
    21:34:25 Next step: Rollback: Adding policy
    21:34:25 Next step: Adding policy 77.77.77.77/32[any] <–-> 192.168.1.0/24[any] / unique
    …..
    21:34:25 Phase 2 Finished
    21:34:25 Next step: Processing vpntrackerd connection request
    21:34:25 Next step: Finishing Phase 2
    21:34:25 Next step: Finishing connection
    21:34:25 Next step: Rollback: Adding SA 192.168.8.55 <–-> 74.112.151.148
    21:34:25 Next step: Configuring interface
    21:34:25 Next step: Creating gif0 interface
    21:34:25 Next step: Rollback: Adding gif0 interface
    21:34:25 Next step: Setting up routes
    21:34:25 Next step: Adding route for 74.112.151.148 over 192.168.8.254 via en1
    21:34:25 Next step: Rollback: Adding route to 74.112.151.148
    21:34:25 Next step: Adding route for 192.168.1.0/24 over gif0
    21:34:25 Next step: Rollback: Adding route to 192.168.1.0/24

    21:34:25 Connected

    Any ideas are appreciated. Thanks!


  • I should also note that I tried to connect via an iPhone, both from within the 192.168.8.x network and on Verizon 3G. The results were the same - VPN connection established immediately, but I wasn't able to access any resource on the network.


  • You have the same problem as I described some postings earlier.

    You have to use a COMPLETLY other IP address. Try 10.180.180.0 / 24 as virtual IP for your clients. Then you can connect to your firewalls LAN - but not any other tunnel…

    BTW: Why do you use VPN-Tracker ?!?!?! OS X 10.6 has original cisco VPN client onboard which works perfectly with pfSense... ;-)

    BTW 2: One of the moderators COULD answer to all the serious IPsec problems everybody (!) seems to have. Or do you get support ONLY if it's paid support ?!?!