Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Mobile Client Windows IKE2 routing issue

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 835 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      johnsonp
      last edited by

      I hope someone can help me.

      I am able to connect to my IPSec VPN client configured on pfSense without a problem using RADIUS since 2.2.4 was released, but I am unable to get to any hosts on the internal LAN.  The pfSense config is detailed below, but i should also point out that my network is set up with "back to back" firewalls.  (Note I renamed the WAN interface in pfSense to DMZ).

      It looks like this:

      External –> TMG FW --> DMZ (192.168.99.0/24) --> pfSense --> LAN (192.168.1.0/24)

      I have rules on TMG which proxy pfsense ports 500 and 4500.  I am using a wildcard SSL certificate which I have imported into pfSense (along with th intermediate/sigining certs) if that has any bearing on this.

      I have created an allow all rule in pfSense on the IPSec tab for all protocols/source/destinations.

      Is there anything obviously wrong about this which would prevent access to the LAN machines over VPN?  Can I enable more logging to see what is happening?

      Thanks in advance for any advice
      Peter

      I've configured IPSEC Mobile Client as follows:

      User Authentication:    RADIUS
          Group Authentication:  None

      Virtual Address Pool:  Yes
                  Network:        192.168.115.0/24

      Network List:          Yes
          Save XAuth:            No
          DNS Default domain:    Yes
                                  xxxxx.local

      Split DNS:              No
          DNS Servers:            Yes
                                  192.168.1.12
                                  192.168.1.28

      WINS Servers:          Yes
                                  192.168.1.12

      Phase 2 PFS Group:      Off

      Then phase 1 as follows:

      Key Exchange:          v2
          Internet protocol:      ipv4
          Interface:              DMZ

      Auth method:            EAP-RADIUS
          My identifier:          Distinguished name / vpn.xxxxxxxxxx
          Peer identifier:        Any
          My Certificate:        *.xxxxxxxxxx
          My CA:                  AddTrustExternalCARoot

      Enc algorithm:          AES / 256
          Hash algorithm:        SHA256
          DH key group:          2 (1024)
          Lifetime:              28800

      Disable rekey:          No
          Disable reauth:        No
          Responder only:        No
          MOBIKE:                Yes
          Dead peer detection:    Yes
                                  10 seconds
                                  5 retries

      And finally phase 2 as follows:

      Mode:                  Tunnel IPv4
          Local Network:          LAN subnet

      Protocol:              ESP
          Enc algorithm:          AES / auto
          Hash algorithm:        SHA1
          PFS key group:          Off
          Lifetime:              3600

      Auto ping host:

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.