IPSec Mobile Client Windows IKE2 routing issue



  • I hope someone can help me.

    I am able to connect to my IPSec VPN client configured on pfSense without a problem using RADIUS since 2.2.4 was released, but I am unable to get to any hosts on the internal LAN.  The pfSense config is detailed below, but i should also point out that my network is set up with "back to back" firewalls.  (Note I renamed the WAN interface in pfSense to DMZ).

    It looks like this:

    External –> TMG FW --> DMZ (192.168.99.0/24) --> pfSense --> LAN (192.168.1.0/24)

    I have rules on TMG which proxy pfsense ports 500 and 4500.  I am using a wildcard SSL certificate which I have imported into pfSense (along with th intermediate/sigining certs) if that has any bearing on this.

    I have created an allow all rule in pfSense on the IPSec tab for all protocols/source/destinations.

    Is there anything obviously wrong about this which would prevent access to the LAN machines over VPN?  Can I enable more logging to see what is happening?

    Thanks in advance for any advice
    Peter

    I've configured IPSEC Mobile Client as follows:

    User Authentication:    RADIUS
        Group Authentication:  None

    Virtual Address Pool:  Yes
                Network:        192.168.115.0/24

    Network List:          Yes
        Save XAuth:            No
        DNS Default domain:    Yes
                                xxxxx.local

    Split DNS:              No
        DNS Servers:            Yes
                                192.168.1.12
                                192.168.1.28

    WINS Servers:          Yes
                                192.168.1.12

    Phase 2 PFS Group:      Off

    Then phase 1 as follows:

    Key Exchange:          v2
        Internet protocol:      ipv4
        Interface:              DMZ

    Auth method:            EAP-RADIUS
        My identifier:          Distinguished name / vpn.xxxxxxxxxx
        Peer identifier:        Any
        My Certificate:        *.xxxxxxxxxx
        My CA:                  AddTrustExternalCARoot

    Enc algorithm:          AES / 256
        Hash algorithm:        SHA256
        DH key group:          2 (1024)
        Lifetime:              28800

    Disable rekey:          No
        Disable reauth:        No
        Responder only:        No
        MOBIKE:                Yes
        Dead peer detection:    Yes
                                10 seconds
                                5 retries

    And finally phase 2 as follows:

    Mode:                  Tunnel IPv4
        Local Network:          LAN subnet

    Protocol:              ESP
        Enc algorithm:          AES / auto
        Hash algorithm:        SHA1
        PFS key group:          Off
        Lifetime:              3600

    Auto ping host: