Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Roadwarrior vpn, windows 7 and macintosh

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jason0
      last edited by

      Hello,

      I have managed to configure pfsense with an ipsec roadwarrior vpn.  I configured it in accordance with the 2.1 documentation. (there are some differences between this and the Mobile IPsec on 2.0 howto page).  I have it working with my mac running mountain lion.  However I am having difficulties with windows using shrewsoft.

      On Windows, shrewsoft is able to establish a connection, but I can't get traffic to traverse the vpn.  I have run a packet capture looking for packets on the lan side of pfsense: I see traffic from the macintosh, but not the windows system.

      For both windows and macintosh, NON-vpn traffic bypasses the vpn and uses the default gateway.

      I turned off the windows firewall entirely.

      I experimented and unchecked the network list box on the mobile clients tab to see if forcing all traffic over the vpn would work.  Well, I couldn't connect the mac anymore; However, no traffic moved to/from the windows box.

      When I get a little more time, I will post the configurations.

      However, if any of this rings a bell, I am all ears!

      Thanks!

      –jason

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        In the past, I setup PFsense IPsec and connected using the Shrewsoft VPN client.  In my experience, traffic would not traverse the tunnel until I configured my LAN subnet in the client manually.  This was due to the clients routing table not being updated.

        Edit your Shrewsoft VPN site config, navigate to the "Policy" tab, uncheck "obtain Topology Automatically or Tunnel All", click "Add", then enter your LAN subnet, which will make an entry in the Remote Network Resource section, click "Save".

        Reconnect and you will notice that your client's routing table now reflects that your remote LAN subnet is routed over the VPN.

        Ideally the client should get it's routing from the firewall, so I'm not sure if it was a configuration issue on the server (PFsense) or a limitation of the Shrewsoft client when connecting to PFsense's implementation of IPsec.

        If anyone has had success with the Shrewsoft VPN client automatically obtaining proper routing upon connection to PFsense, please share your config and experience.

        1 Reply Last reply Reply Quote 0
        • J
          jason0
          last edited by

          Hello,

          Thanks for your reply Marvosa!  I will test this as soon as the three fires in my lap are handled!

          –jason

          1 Reply Last reply Reply Quote 0
          • J
            jason0
            last edited by

            Hello,

            I have tried entering the static routes as Marvosa suggested and got no change.

            I have captured the racoon debug output on the pfsense router during both a (apparently successful) windows attempt, and successful macintosh connection.  I have enclosed them both.

            Macintosh: Mountain lion, native cisco ipsec vpn

            Windows 7: Shrewsoft client 2.2.2 standard

            Settings are in accordance with the 2.1 manual's recommendations.

            So, at times the windows client breaks the connection.  But at the very least it doesn't seem to send data through the vpn at all.  I haven't found much regarding troubleshooting shrewsoft yet.

            I look forward to your feedback.

            –jason

            windows_ipsec.log.txt
            mac_ipsec.log.txt

            1 Reply Last reply Reply Quote 0
            • J
              jason0
              last edited by

              Hello,

              As it happens, I have been getting these messages in my ipsec logs:

              failed to pre-process ph2 packet [Check Phase 2 settings, networks]

              but never could figure it out.  I also noticed that on the shrewsoft vpn trace program that Security associations would only show up in "larval" state, and shortly be removed from the table.

              I have been playing with things and found this thread: http://forum.gta.com/forum/user-community-support/how-to/190-shrewsoft-vpn-client-problem

              This version of shrewsoft (2.2.2) has an additional thing to configure on the policy tab: change Policy Generation Level to "unique" and it works: the connection establishes correctly and my formerly  "larval" entries change to "mature" and remain in place.

              If I come back in the next couple of days and close this thread, it is because this solved my problem.

              –jason

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.