Got tunnel, now the routing…



  • I have a brand new 2.0.1 pfsense, currently it's in a test environment.
    I'm now trying to setup an IPsec host-to-network (mobile warrior) VPN, with another machine on a separate LAN.
    OSX 10.6.8  with VPN Tracker 5.

    Establishing the tunnel works great, but I'm unable to access or ping any address on the network, including pfsense.

    Setup:
    Network:  192.168.1.0 / 24
    VPN client network: 192.168.8.0/24
    VPN client LAN IP: 192.168.8.55

    relevant pfsense settings:
    IPsec phase 1 My identifier:  My IP address
        NAT Traversal enabled
    IPsec phase 2  Tunnels:
        Mode: tunnel
        Local Network: Type: Network
        Address: 192.168.1.0/24
    Mobile clients: Client Configuration:
      Virtual Address Pool: enabled, network 192.168.1.0/24

    Firewall has IPsec allowed for any/any

    Relevant VPN client settings
        Local Address:  77.77.77.77
        Remote Network: 192.168.1.0 / 255.255.255.0

    In pfsense's IPsec log all the references are to the public IP addresses of both WANs, except at the end:
      no policy found, try to generate the policy: 77.77.77.77/32[0] 192.168.1.0/24[0]
    Then it ends with
        IPsec-SA established: ESP 74.112.151.148[500]->74.89.151.50[500] spi=….

    Interesting entries from the VPN client log:
    21:34:25 Phase 1 Finished
    21:34:25 Next step: Processing vpntrackerd connection request
    21:34:25 Next step: Finishing Phase 1
    21:34:25 Next step: Creating policies
    21:34:25 Next step: Rollback: Adding policy
    21:34:25 Next step: Adding policy 77.77.77.77/32[any] <–-> 192.168.1.0/24[any] / unique
    …..
    21:34:25 Phase 2 Finished
    21:34:25 Next step: Processing vpntrackerd connection request
    21:34:25 Next step: Finishing Phase 2
    21:34:25 Next step: Finishing connection
    21:34:25 Next step: Rollback: Adding SA 192.168.8.55 <–-> 74.112.151.148
    21:34:25 Next step: Configuring interface
    21:34:25 Next step: Creating gif0 interface
    21:34:25 Next step: Rollback: Adding gif0 interface
    21:34:25 Next step: Setting up routes
    21:34:25 Next step: Adding route for 74.112.151.148 over 192.168.8.254 via en1
    21:34:25 Next step: Rollback: Adding route to 74.112.151.148
    21:34:25 Next step: Adding route for 192.168.1.0/24 over gif0
    21:34:25 Next step: Rollback: Adding route to 192.168.1.0/24

    21:34:25 Connected

    Any ideas are appreciated. Thanks!



  • I should also note that I tried to connect via an iPhone, both from within the 192.168.8.x network and on Verizon 3G. The results were the same - VPN connection established immediately, but I wasn't able to access any resource on the network.



  • You have the same problem as I described some postings earlier.

    You have to use a COMPLETLY other IP address. Try 10.180.180.0 / 24 as virtual IP for your clients. Then you can connect to your firewalls LAN - but not any other tunnel…

    BTW: Why do you use VPN-Tracker ?!?!?! OS X 10.6 has original cisco VPN client onboard which works perfectly with pfSense... ;-)

    BTW 2: One of the moderators COULD answer to all the serious IPsec problems everybody (!) seems to have. Or do you get support ONLY if it's paid support ?!?!


Log in to reply