Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Internal lan not accessible via IPSEC tunnel

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tripaicr
      last edited by

      Hi all,

      after a update to pfSense 2.2.2 I' struggling to set up an IPSEC vpn connection for windows (7) clients.

      The setup is this:

      LAN 192.168.22.0/24 - pfSense 192.168.22.5 - internet - client pc
      My current pfsense setup is as shown in the screenshots.

      With that setup, the client can connect, but cannot reach any host of the LAN (and vice versa).

      If I change the network in the virtual address pool to a different subnet like 192.168.23.144/28, I have to manually add a route to the x.x.22.x network on the client. Then the client can reach the hosts in the LAN.
      I have found no option that will add the route automatically.

      I've also tried with "Provide a list of accessible networks to clients" enabled/disabled, but no change.

      The Windows 7 computer is connecting with the built-in vpn client, setting the default route to the vpn is disabled.
      Only the traffic for the LAN shall be routed to the vpn connection, everything else should use the internet connection directly.

      In the ipsec firewall tab, there is a 'allow all' rule for the ipsec interface.

      Can anyone give an ipsec-newbie some advice, please?

      ipsec-1.png
      ipsec-1.png_thumb
      ipsec-2.png
      ipsec-2.png_thumb
      ipsec-3.png
      ipsec-3.png_thumb

      1 Reply Last reply Reply Quote 0
      • S
        shreek
        last edited by

        Having the same problem myself.  With phase2 as a transport I don't have any access to the lan.  If I make phase2 a tunnel I can get to the lan gateway and nothing else.  I'm curious what route you added that you were able to get access, all the manual routes I've tried haven't helped.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Do you have any rules on the IPsec tab?

          1 Reply Last reply Reply Quote 0
          • S
            shreek
            last edited by

            I just tried disabling "Use default gateway on remote network" under the vpn connection properties->networking tab->IPv4 properties->Advanced and can now access the LAN.  I'm still having trouble getting my dns suffix to work properly, but it's progress.

            1 Reply Last reply Reply Quote 0
            • T
              tripaicr
              last edited by

              @doktornotor:

              the ipsec tab has an "allow all" rule.
              See screenshots for all rules.

              @shreek:
              If i set the virtual address pool in the mobile clients tab to 192.168.23.144/28 and if I manually add the route on the client after connecting the vpn, I get access to the internal lan.
              To set the route on Win7 use "route add 192.168.22.0 MASK 255.255.255.0 192.168.23.145" where 192.168.23.145 is the IP of the VPN interface on the client.
              The connection was succesfull after following these instructions: https://forum.pfsense.org/index.php?topic=93541.0 and http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801

              fw1.png
              fw1.png_thumb
              fw2.png
              fw2.png_thumb
              fw3.png
              fw3.png_thumb
              fw4.png
              fw4.png_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.