IPSEC mobile clients can only communicate with 1 location in a site to site VPN.



  • Hi, we are using IPSEC for both site to site and mobile.  Our site to sites work great and from within the networks we can each communicate however mobile clients cannot communicate outside of the main subnet.  For instance.

    Building1 192.168.10.0/24
    mobile Clients 192.168.11.0/24

    Building2 192.168.20.0/24

    Theres a site to site between Building1 and Building2.  When at work, clients within 10.0 and 20.0 can communicate however if someone is working from home, they get an address in the 192.168.11.0 range and connect to the ipsec at Building1 and can only communicate with building 1 and its 10.0 range.  Anyone in the 11.0 range cannot ping or communicate with anyone in the 20.0 range.

    Any ideas?  Still new to PFSense and learning.  Is this a static route issue?  Running PF 2.1

    Thanks guys and gals for any ideas :)


  • Rebel Alliance Developer Netgate

    The site-to-site tunnel between building 1 and building 2 needs to have a Phase 2 entry to cover 192.168.11.0/24 to 192.168.20.0/24, and the rules would also need to pass the traffic.



  • So I have 1 Phase 2 already so I need to add a second one in is what you're saying for the mobile IPSEC?  How would I go about specifying the second one though?  Would 192.168.20.0 be the local network on that phase2?

    Thanks again  :)
    UPDATE
    I added a second phase2 in for that remote network and once its added in then the remote client cannot communicate with building1 or building2.  Having the same problem as posted here for reference:
    http://forum.pfsense.org/index.php?topic=48297.0

    UPDATE 2
    Tested OPENvpn server.  Set this up, created a client export file and installed on my Win7 machine.  Connected using LDAP and can only access Building1 even though in the 'Local Networks' field I specified both Building1 and Building2 CIDR.

    Any ideas would be helpful  :)



  • @Rubicon:

    Hi, we are using IPSEC for both site to site and mobile.  Our site to sites work great and from within the networks we can each communicate however mobile clients cannot communicate outside of the main subnet.  For instance.

    Building1 192.168.10.0/24
    mobile Clients 192.168.11.0/24

    Building2 192.168.20.0/24

    Theres a site to site between Building1 and Building2.  When at work, clients within 10.0 and 20.0 can communicate however if someone is working from home, they get an address in the 192.168.11.0 range and connect to the ipsec at Building1 and can only communicate with building 1 and its 10.0 range.  Anyone in the 11.0 range cannot ping or communicate with anyone in the 20.0 range.

    Any ideas?  Still new to PFSense and learning.  Is this a static route issue?  Running PF 2.1

    Thanks guys and gals for any ideas :)

    I have sort of the same problem as you described, only in my setup I'm using OpenVPN for site-to-site and IPSec Road Warrior/Mobile Client for home office connections. The site-to-site VPN works just fine. Also, I can connect to either of the sites with the IPsec Road Warrior/mobile client, but I cannot reach site B from site A and vice versa.

    Will my setup even allow this behaviour? Anyone have any thoughts/tips?



  • From what i'm understanding it should be.  With IPSEC you simply add multiple Phase2 entries which i've tried but had no luck.  With OpenVPN theres a IPv4 Local Network/s option where you can add multiple CIDR networks and i've tried that too and am stuck.  With my site to site IPSEC vpn's im fine and can hit each building, im just having the issue myself with remote clients whether using IPSEC or OpenVPN.  Maybe someone from PFSense could chime in.



  • @Rubicon:

    From what i'm understanding it should be.  With IPSEC you simply add multiple Phase2 entries which i've tried but had no luck.  With OpenVPN theres a IPv4 Local Network/s option where you can add multiple CIDR networks and i've tried that too and am stuck.  With my site to site IPSEC vpn's im fine and can hit each building, im just having the issue myself with remote clients whether using IPSEC or OpenVPN.  Maybe someone from PFSense could chime in.

    I just got it working, thanks for the tip.

    I added the IPSec mobile client networks (192.168.111.0/24 for site A and 192.168.222.0/24 for site B) in the "IPv4 Remote Networks" on the OpenVPN site to site tunnel. Works like a charm.



  • Then please edit the Subject and mark it as SOLVED for others to be able to benefit from your experience. Thanks.



  • @mikee:

    Then please edit the Subject and mark it as SOLVED for others to be able to benefit from your experience. Thanks.

    I guess that's something thread starter have to do. His setup is different from mine and I don't see that he has found a solution yet.


Log in to reply