Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Got tunnel, now the routing…

    IPsec
    2
    3
    2501
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DLpres last edited by

      I have a brand new 2.0.1 pfsense, currently it's in a test environment.
      I'm now trying to setup an IPsec host-to-network (mobile warrior) VPN, with another machine on a separate LAN.
      OSX 10.6.8  with VPN Tracker 5.

      Establishing the tunnel works great, but I'm unable to access or ping any address on the network, including pfsense.

      Setup:
      Network:  192.168.1.0 / 24
      VPN client network: 192.168.8.0/24
      VPN client LAN IP: 192.168.8.55

      relevant pfsense settings:
      IPsec phase 1 My identifier:  My IP address
          NAT Traversal enabled
      IPsec phase 2  Tunnels:
          Mode: tunnel
          Local Network: Type: Network
          Address: 192.168.1.0/24
      Mobile clients: Client Configuration:
        Virtual Address Pool: enabled, network 192.168.1.0/24

      Firewall has IPsec allowed for any/any

      Relevant VPN client settings
          Local Address:  77.77.77.77
          Remote Network: 192.168.1.0 / 255.255.255.0

      In pfsense's IPsec log all the references are to the public IP addresses of both WANs, except at the end:
        no policy found, try to generate the policy: 77.77.77.77/32[0] 192.168.1.0/24[0]
      Then it ends with
          IPsec-SA established: ESP 74.112.151.148[500]->74.89.151.50[500] spi=….

      Interesting entries from the VPN client log:
      21:34:25 Phase 1 Finished
      21:34:25 Next step: Processing vpntrackerd connection request
      21:34:25 Next step: Finishing Phase 1
      21:34:25 Next step: Creating policies
      21:34:25 Next step: Rollback: Adding policy
      21:34:25 Next step: Adding policy 77.77.77.77/32[any] <–-> 192.168.1.0/24[any] / unique
      …..
      21:34:25 Phase 2 Finished
      21:34:25 Next step: Processing vpntrackerd connection request
      21:34:25 Next step: Finishing Phase 2
      21:34:25 Next step: Finishing connection
      21:34:25 Next step: Rollback: Adding SA 192.168.8.55 <–-> 74.112.151.148
      21:34:25 Next step: Configuring interface
      21:34:25 Next step: Creating gif0 interface
      21:34:25 Next step: Rollback: Adding gif0 interface
      21:34:25 Next step: Setting up routes
      21:34:25 Next step: Adding route for 74.112.151.148 over 192.168.8.254 via en1
      21:34:25 Next step: Rollback: Adding route to 74.112.151.148
      21:34:25 Next step: Adding route for 192.168.1.0/24 over gif0
      21:34:25 Next step: Rollback: Adding route to 192.168.1.0/24

      21:34:25 Connected

      Any ideas are appreciated. Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        DLpres last edited by

        I should also note that I tried to connect via an iPhone, both from within the 192.168.8.x network and on Verizon 3G. The results were the same - VPN connection established immediately, but I wasn't able to access any resource on the network.

        1 Reply Last reply Reply Quote 0
        • T
          twaldorf last edited by

          You have the same problem as I described some postings earlier.

          You have to use a COMPLETLY other IP address. Try 10.180.180.0 / 24 as virtual IP for your clients. Then you can connect to your firewalls LAN - but not any other tunnel…

          BTW: Why do you use VPN-Tracker ?!?!?! OS X 10.6 has original cisco VPN client onboard which works perfectly with pfSense... ;-)

          BTW 2: One of the moderators COULD answer to all the serious IPsec problems everybody (!) seems to have. Or do you get support ONLY if it's paid support ?!?!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post