Connected my iPhone with IPSEC to my DMZ Network but couldn't connect to Local



  • I have in my office where Pfsense is installed 3 networks (WAN, LAN and DMZ) Lan and DMZ have same subnet but different IP Segment.

    LAN 192.168.1.x/24 and DMZ have 10.20.10.0/24, after I configured IPSEC for Mobile and was able to connect iPhone with IPSEC to the pfsense/IPSEC server I was only able to ping the Machines on the DMZ network not LAN.

    Is there any reason why it wouldn't connect?

    I have configured the firewall to pass all traffic. I even created a routing rule on one of the machines on Lan to have gateway pointing to internal IP of Pfsense but that didn't work.

    I can ping LAN machines from Pfsense though.

    Any suggestion?



  • In Phase 2 of your IPSec policy you define the subnet that the VPN tunnel connects to.  The incoming VPN connection is restricted to only that subnet.  You'd have to create another policy for your LAN.  I know that's the case for the IPSec tunnels I've built.  Mobile probably has the same restrictions but is configured in a different area.



  • I would normally make sure that all the subnet behind the VPN router are in the same supernet if possible, that way you can send the whole supernet through the VPN.

    So you would have

    LAN: 192.168.0.0/24
    DMZ: 192.168.1.0/24

    In the phase 2 you would have 192.168.0.0/23 (or something bigger, if needed)

    Another problem might be that your local subnet of the VPN client conflicts with the LAN subnet.



  • Thank you guys but I think this is actually a bug within Pfsense it self. I have changed all the rules according to you have offered but it didn't work.

    I then reverted back the settings the same and it did work finally. here's my settings just to let you know how is it configured.

    I have created a user and a group as following :
    1- Groups: 1 IPSEC Group, Assigned all privileges, (Member Count = (2) :
    2- Users: 2 Users part of this group.

    In IPSEC section in the tunnels tab:

    1- I have created Remote Gateway with the following settings:
      - Interface : (WAN)
      - Phase 1 proposal (Authentication) (Authentication Mode) : Mutual PSK + XAUth
      - Negotiation Mode ( Aggressive ).
      - My Identifier ( My IP Address).
      - Peer Identifier (Distinguished Name) = random name.
      - Pre-shared Key = TEST
      - Policy Generation and Proposal Checking are set to Default.
      - Encryption algorithm = 3DES
      - Hash Algorithm = SHA1
      - DH Key Group = 2
      - Life Time = 28800
    **  - Advanced Option**
      - NAT Traversal = Force
      - Dead Peer Detection  = Enabled DPD , First value 10, second 5

    2- Phase 2
    VPN: IPsec: Edit Phase 2: Mobile Client

    Mode = Tunnel
      - Local Network = Network
    Address = 192.168.1.0/24

    - Phase 2 proposal (SA/Key Exchange)
      - Protocol = ESP
      - Encryption algorithms = 3DES
      - Hash algorithms = SHA1
      - PFS key group = (grayed out) 2
      - Life time = 3600

    3- VPN: IPsec: Mobile Mobile clients
      - Extended Authentication (Xauth) = System both user and group.
      - Virtual Address Pool enabled = 172.16.254.x/24
      - Network List = Disabled
      - Save Xauth Password = Enabled
      - Provide a default domain name to clients = Enabled = (My Pfsense's External FQDN Name).
      - Provide a DNS server list to clients = Enabled (External DNS IP)
      - WINS = Disabled
      - Phase2 PFS Group = Enabled (2)
      - Login Banner = Disabled.


    I have created a static route on of the machines and tried to ping to this machine from my iPhone using an application called (Net Master)
    netsh interface ipv4 add route 172.16.254.0/24 "Local Area Connection" 192.168.1.100  << My PFSENSE Local IP

    My iPhone is G4 with iOS 5.1.1, and the VPN settings are as the following :
    Server = My Pfsense's WAN IP address.
    Account = User that I created.
    Password = password
    User Certificate = off.
    Group Name = The group Name I have created earlier.
    Secret = Test

    Now I'm able to access any machine in my office network with IPSEC VPN on Pfsense if the static route is added to them. this is a perfect software.



  • One Last thing to add, I have added a rule to the IPSEC tab in Firewall section to allow any traffic generated from source  to the Machine's IP as destination.



  • Good that you got it to work

    netsh interface ipv4 add route 172.16.254.0/24 "Local Area Connection" 192.168.1.100  << My PFSENSE Local IP

    Should only be required if pfSense wouldn't be the Default Gateway already.

    And in this configuration, I don't think you can't get to your DMZ (don't know if you need to).



  • Yes true, I don't have pfsense as my default gateway so I had to add the route. and I don't need the DMZ I just added it for another purpose to publish something else.

    Thanks a lot



  • How do you add static route to pfsense box ? >:(



  • OK. I got it. I don't have to do route on pfsense box, the rule does it all, only my local station.


Locked