IPhone IPsec connects but not routing traffic 2.2.3



  • After reading numerous tutorials on the exact config needed and trying to extrapolate what they were all saying and apply it to 2.2.3 I'm left with a config I can connect to from my iphone but no traffic seems to pass over the interface. I've tried both settings of "Provide a list of accessible networks to clients" and with it I see in diag_ipsec.php a new entry for one of two subnets I have setup in my local or site to site ipsec vpn.  That setup is working fine, though I recently disabled it to make sure it wasn't causing the issue.  I'm at a loss and looking for pointers on what I might try to get this working.  I'm replacing a Fortigate System I've had for a few years and this is the last piece I need to get working to be able to trash the failing fortigate for good.  I've also attached some images for clarification as I"m new to the pfsense world I figured they might help illustrate what I'm seeing.


    ![Phase 2.png](/public/imported_attachments/1/Phase 2.png)
    ![Phase 2.png_thumb](/public/imported_attachments/1/Phase 2.png_thumb)



  • Maybe a phase 2 problem? What can you see in the logs? I have it working, so could you past your phase 1 and 2, and mobile configuration??

    Did you configure the ipsec firewall rule as well???



  • What area of the logs would be most helpful?  I can include the phase1, phase 2, mobile client settings and the rules in screen shots.

    ![Screen Shot 2015-07-16 at 10.59.59 AM.png](/public/imported_attachments/1/Screen Shot 2015-07-16 at 10.59.59 AM.png)
    ![Screen Shot 2015-07-16 at 10.59.59 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-07-16 at 10.59.59 AM.png_thumb)
    ![Screen Shot 2015-07-16 at 10.59.16 AM.png](/public/imported_attachments/1/Screen Shot 2015-07-16 at 10.59.16 AM.png)
    ![Screen Shot 2015-07-16 at 10.59.16 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-07-16 at 10.59.16 AM.png_thumb)
    ![Screen Shot 2015-07-16 at 11.02.42 AM.png](/public/imported_attachments/1/Screen Shot 2015-07-16 at 11.02.42 AM.png)
    ![Screen Shot 2015-07-16 at 11.02.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-07-16 at 11.02.42 AM.png_thumb)
    ![Screen Shot 2015-07-16 at 11.04.32 AM.png](/public/imported_attachments/1/Screen Shot 2015-07-16 at 11.04.32 AM.png)
    ![Screen Shot 2015-07-16 at 11.04.32 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-07-16 at 11.04.32 AM.png_thumb)



  • I forgot to add this since I saw it in another thread while researching the issue.

    ![Screen Shot 2015-07-16 at 11.08.42 AM.png](/public/imported_attachments/1/Screen Shot 2015-07-16 at 11.08.42 AM.png)
    ![Screen Shot 2015-07-16 at 11.08.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-07-16 at 11.08.42 AM.png_thumb)



  • Upgrade to latest 2.2.4 @ https://snapshots.pfsense.org first, that circumstance isn't going to work right in 2.2.3.



  • I upgraded to the 2015-07-17 snapshot and it still isn't working, maybe this evening when I get a chance I will setup a new VM on the host and try it fresh.  I did a fresh VM with 2.2.3 and wasn't able to get it to route traffic either.



  • That was part of the issue but not all of it now that I look closer at your screenshots. The peer identifier isn't asn1dn with that setup, it's user distinguished name. https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To



  • You sure about that?  I'm not having any issues authenticating even against the radius db in mac os.  The only issue I am having is passing traffic.  I can try that but from what I remember it changed the behavior to require an email instead of just a name.



  • Ok, so the fresh install from the 1:30pm DEV release did work kind of.  I was able to just redo the few basic settings I had from memory and everything connected as expected and I was able to hit devices over the VPN .  I was also able to leave the setting of user distinguished name so I didn't have to use an email address which it was requiring prior to.  I have an issue connecting to one system a home dvr, it won't connect at all but various other items are fine and I see the allow rule trigger in the logs but the app doesn't respond.  Things like web traffic and vmc work flawless.  I checked my rules andI have the protocol set to any thinking it was a UDP/TCP issue at first.

    It also now isn't connecting to my remote ipsec site but I see some very erratic p2 behavior and I am hopeful updating the remote site that to the latest dev release of pfsense will fix that.



  • I'm still fighting with two issues that maybe someone could offer a direction on how to troubleshoot.

    Site to site vpn is up and local traffic can talk to the remote site without issue and from the other side same thing.  When I connect to the mobile vpn I can ping local resources fine.  If I try to ping the remote site over the site to site vpn I don't get any traffic on the remote side.

    The other issue is a local dvr camera system.  I can connect to most of the services I've tried ssh, http, vnc.  However when I connect to the DVR I get a timeout

    I'm hoping these might be related because when I examine the logs they both show they should be working.  I see the green arrows showing the traffic is allowed but the traffic doesn't seem to go where I expect it to go.



  • You need another P2 on the site to site to match your mobile IPsec subnet.

    The DVR is probably missing a default gateway, or has a wrong subnet mask.



  • @cmb:

    You need another P2 on the site to site to match your mobile IPsec subnet.

    The DVR is probably missing a default gateway, or has a wrong subnet mask.

    Dead on with the DVR it had a .0 instead of .1 and I guess for the past three years it was like that but with the other router I was able to use a local ip to assign to the ipsec tunnel so it didn't matter.

    I already had the remote P2 for the local mobile ipsec subnet but I didn't have one for the local site to site so I added that still no go.  I just got my new hardware in so I'm going to get vmware setup on that which will allow me to experiment a little easier.



  • Latest discovery is that I can send icmp packets from the remote ipsec network to my mobile ipsec connection and they reply fine.  When I send them from the mobile ipsec network I see them go through the ipsec interface on the remote network but if I watch the lan interface it doesn't seem to forward them out to the intended device.

    I'm using the 0.0.0.0/0 on the mobile ipsec connection with "Provide a list of accessible networks to clients" turned off and I have reciprocal setups for the mobile iprange for both the site to site ipsec configurations.



  • Sounds like it's not getting allowed by firewall rules on IPsec tab on the remote end. Since it works in the opposite direction the VPN itself must be fine all around.



  • I started a new vm on the remote site and started from scratch.  I set it up a while back to connect to the fortigate I used to have here so I can't remember what all I experimented with or had done to get it to work.  The good news is after just setting everything up by hand it is all working so it likely was something like that.