Internal lan not accessible via IPSEC tunnel

tripaicr · May 12, 2015, 3:32 PM

Hi all,

after a update to pfSense 2.2.2 I' struggling to set up an IPSEC vpn connection for windows (7) clients.

The setup is this:

LAN 192.168.22.0/24 - pfSense 192.168.22.5 - internet - client pc
My current pfsense setup is as shown in the screenshots.

With that setup, the client can connect, but cannot reach any host of the LAN (and vice versa).

If I change the network in the virtual address pool to a different subnet like 192.168.23.144/28, I have to manually add a route to the x.x.22.x network on the client. Then the client can reach the hosts in the LAN.
I have found no option that will add the route automatically.

I've also tried with "Provide a list of accessible networks to clients" enabled/disabled, but no change.

The Windows 7 computer is connecting with the built-in vpn client, setting the default route to the vpn is disabled.
Only the traffic for the LAN shall be routed to the vpn connection, everything else should use the internet connection directly.

In the ipsec firewall tab, there is a 'allow all' rule for the ipsec interface.

Can anyone give an ipsec-newbie some advice, please?

shreek · May 12, 2015, 4:28 PM

Having the same problem myself. With phase2 as a transport I don't have any access to the lan. If I make phase2 a tunnel I can get to the lan gateway and nothing else. I'm curious what route you added that you were able to get access, all the manual routes I've tried haven't helped.

doktornotor · May 12, 2015, 4:38 PM

Do you have any rules on the IPsec tab?

shreek · May 12, 2015, 4:46 PM

I just tried disabling "Use default gateway on remote network" under the vpn connection properties->networking tab->IPv4 properties->Advanced and can now access the LAN. I'm still having trouble getting my dns suffix to work properly, but it's progress.

tripaicr · May 12, 2015, 5:36 PM

@doktornotor:

the ipsec tab has an "allow all" rule.
See screenshots for all rules.

@shreek:
If i set the virtual address pool in the mobile clients tab to 192.168.23.144/28 and if I manually add the route on the client after connecting the vpn, I get access to the internal lan.
To set the route on Win7 use "route add 192.168.22.0 MASK 255.255.255.0 192.168.23.145" where 192.168.23.145 is the IP of the VPN interface on the client.
The connection was succesfull after following these instructions: https://forum.pfsense.org/index.php?topic=93541.0 and http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801