Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Internal lan not accessible via IPSEC tunnel

    IPsec
    3
    5
    4209
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tripaicr last edited by

      Hi all,

      after a update to pfSense 2.2.2 I' struggling to set up an IPSEC vpn connection for windows (7) clients.

      The setup is this:

      LAN 192.168.22.0/24 - pfSense 192.168.22.5 - internet - client pc
      My current pfsense setup is as shown in the screenshots.

      With that setup, the client can connect, but cannot reach any host of the LAN (and vice versa).

      If I change the network in the virtual address pool to a different subnet like 192.168.23.144/28, I have to manually add a route to the x.x.22.x network on the client. Then the client can reach the hosts in the LAN.
      I have found no option that will add the route automatically.

      I've also tried with "Provide a list of accessible networks to clients" enabled/disabled, but no change.

      The Windows 7 computer is connecting with the built-in vpn client, setting the default route to the vpn is disabled.
      Only the traffic for the LAN shall be routed to the vpn connection, everything else should use the internet connection directly.

      In the ipsec firewall tab, there is a 'allow all' rule for the ipsec interface.

      Can anyone give an ipsec-newbie some advice, please?






      1 Reply Last reply Reply Quote 0
      • S
        shreek last edited by

        Having the same problem myself.  With phase2 as a transport I don't have any access to the lan.  If I make phase2 a tunnel I can get to the lan gateway and nothing else.  I'm curious what route you added that you were able to get access, all the manual routes I've tried haven't helped.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned last edited by

          Do you have any rules on the IPsec tab?

          1 Reply Last reply Reply Quote 0
          • S
            shreek last edited by

            I just tried disabling "Use default gateway on remote network" under the vpn connection properties->networking tab->IPv4 properties->Advanced and can now access the LAN.  I'm still having trouble getting my dns suffix to work properly, but it's progress.

            1 Reply Last reply Reply Quote 0
            • T
              tripaicr last edited by

              @doktornotor:

              the ipsec tab has an "allow all" rule.
              See screenshots for all rules.

              @shreek:
              If i set the virtual address pool in the mobile clients tab to 192.168.23.144/28 and if I manually add the route on the client after connecting the vpn, I get access to the internal lan.
              To set the route on Win7 use "route add 192.168.22.0 MASK 255.255.255.0 192.168.23.145" where 192.168.23.145 is the IP of the VPN interface on the client.
              The connection was succesfull after following these instructions: https://forum.pfsense.org/index.php?topic=93541.0 and http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801








              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy