Roadwarrior vpn, windows 7 and macintosh



  • Hello,

    I have managed to configure pfsense with an ipsec roadwarrior vpn.  I configured it in accordance with the 2.1 documentation. (there are some differences between this and the Mobile IPsec on 2.0 howto page).  I have it working with my mac running mountain lion.  However I am having difficulties with windows using shrewsoft.

    On Windows, shrewsoft is able to establish a connection, but I can't get traffic to traverse the vpn.  I have run a packet capture looking for packets on the lan side of pfsense: I see traffic from the macintosh, but not the windows system.

    For both windows and macintosh, NON-vpn traffic bypasses the vpn and uses the default gateway.

    I turned off the windows firewall entirely.

    I experimented and unchecked the network list box on the mobile clients tab to see if forcing all traffic over the vpn would work.  Well, I couldn't connect the mac anymore; However, no traffic moved to/from the windows box.

    When I get a little more time, I will post the configurations.

    However, if any of this rings a bell, I am all ears!

    Thanks!

    –jason



  • In the past, I setup PFsense IPsec and connected using the Shrewsoft VPN client.  In my experience, traffic would not traverse the tunnel until I configured my LAN subnet in the client manually.  This was due to the clients routing table not being updated.

    Edit your Shrewsoft VPN site config, navigate to the "Policy" tab, uncheck "obtain Topology Automatically or Tunnel All", click "Add", then enter your LAN subnet, which will make an entry in the Remote Network Resource section, click "Save".

    Reconnect and you will notice that your client's routing table now reflects that your remote LAN subnet is routed over the VPN.

    Ideally the client should get it's routing from the firewall, so I'm not sure if it was a configuration issue on the server (PFsense) or a limitation of the Shrewsoft client when connecting to PFsense's implementation of IPsec.

    If anyone has had success with the Shrewsoft VPN client automatically obtaining proper routing upon connection to PFsense, please share your config and experience.



  • Hello,

    Thanks for your reply Marvosa!  I will test this as soon as the three fires in my lap are handled!

    –jason



  • Hello,

    I have tried entering the static routes as Marvosa suggested and got no change.

    I have captured the racoon debug output on the pfsense router during both a (apparently successful) windows attempt, and successful macintosh connection.  I have enclosed them both.

    Macintosh: Mountain lion, native cisco ipsec vpn

    Windows 7: Shrewsoft client 2.2.2 standard

    Settings are in accordance with the 2.1 manual's recommendations.

    So, at times the windows client breaks the connection.  But at the very least it doesn't seem to send data through the vpn at all.  I haven't found much regarding troubleshooting shrewsoft yet.

    I look forward to your feedback.

    –jason

    windows_ipsec.log.txt
    mac_ipsec.log.txt



  • Hello,

    As it happens, I have been getting these messages in my ipsec logs:

    failed to pre-process ph2 packet [Check Phase 2 settings, networks]

    but never could figure it out.  I also noticed that on the shrewsoft vpn trace program that Security associations would only show up in "larval" state, and shortly be removed from the table.

    I have been playing with things and found this thread: http://forum.gta.com/forum/user-community-support/how-to/190-shrewsoft-vpn-client-problem

    This version of shrewsoft (2.2.2) has an additional thing to configure on the policy tab: change Policy Generation Level to "unique" and it works: the connection establishes correctly and my formerly  "larval" entries change to "mature" and remain in place.

    If I come back in the next couple of days and close this thread, it is because this solved my problem.

    –jason