2.2.4 upgrade from 2.1.5 - ipsec now disconnects mobile clients.
-
I've been reviewing the logs and nothing seems to jump at me.
clients connect for 10 minutes or so and then disconnect. This config ran well for 3 years.
Free pizza for whoever helps me figure this out!pfsense 2.2.4 on my hardware - IKE1, aggressive, mutual psk
clients are windows 7/8 using latest shrew clientHere's the ipsec log:
Aug 3 22:07:27 charon: 14[CFG] <con1|5>lease 192.168.253.1 by 'scott@nci-mn.com' went offline
Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (84 bytes)
Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 4183509262 [ HASH D ]
Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for IKE_SA con1[5]
Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for IKE_SA con1[5]
Aug 3 22:07:27 charon: 14[IKE] <con1|5>deleting IKE_SA con1[5] between 67.139.181.194[mobile@nci-mn.com]…173.160.119.193[scott@nci-mn.com]
Aug 3 22:07:27 charon: 14[IKE] <con1|5>deleting IKE_SA con1[5] between 67.139.181.194[mobile@nci-mn.com]…173.160.119.193[scott@nci-mn.com]
Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (76 bytes)
Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 3823818640 [ HASH D ]
Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c95903eb
Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c95903eb
Aug 3 22:07:27 charon: 14[IKE] <con1|5>closing CHILD_SA con1{12} with SPIs c95903eb_i (0 bytes) 27870ce9_o (110600 bytes) and TS 0.0.0.0/0|/0 === 192.168.253.1/32|/0
Aug 3 22:07:27 charon: 14[IKE] <con1|5>closing CHILD_SA con1{12} with SPIs c95903eb_i (0 bytes) 27870ce9_o (110600 bytes) and TS 0.0.0.0/0|/0 === 192.168.253.1/32|/0
Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (76 bytes)
Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 2282457310 [ HASH D ]
Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c9da6911</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5> -
Consider Windows built in Agile VPN (scroll down a lot) which works well using IKEv2. The password policy with Shrewsoft is annoying enough as it is to try something else.
-
Not enough of the log there to say for sure what's happening.
Set the logs for debugging as suggested at https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29Consider switching to a newer style VPN such as https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 if your clients are all Windows 7 or later.
-
jimp,
Thanks a ton for your recommendation - I went ahead with ikev2 implementation with eap per your recommendation.
I really appreciate your help, and pizza can be yours when you are ready!I do have an existing issue:
Basic setup is 10.0.0.0/8 local network. Vpn is for remote users to access a local voip server. Remote users should not redirect other internet traffic through vpn. All other routing to internet should continue on the mobile users internet connection.
I have enabled the "provide a list of accessible networks to clients" feature.
Virtual address pool is setup (192.168.250.0/24)When I connect using a windows 8.1 client, it continues to route all internet traffic to the VPN host, and since that is not allowed, all other internet traffic dies. Traffic to the 10.0.0.0/8 through the vpn then works correctly.
What I want to do is route only 10.0.0.0/8 through the vpn.
If I go to the vpn network adapter in window 8 and uncheck "use default gateway on remote network" then internet access on mobile end works fine, but i cannot ping the 10.0.0.0/8 network.
Something I am missing here??
I hope to push the config from the firewall and limit the amount of hand tuning on the windows 8.1 remotes
You have my email if you want some pizza! -
routes without VPN connected:
C:\Windows\system32>route print -4Interface List
6…1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.50.1 192.168.50.113 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.50.0 255.255.254.0 On-link 192.168.50.113 281
192.168.50.113 255.255.255.255 On-link 192.168.50.113 281
192.168.51.255 255.255.255.255 On-link 192.168.50.113 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.50.113 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.50.113 281Persistent Routes:
NoneRoutes with VPN connected with vpn adapter settings set to not user remote gateway:
Interface List
48...........................northerncapital-mn.com
6...1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.50.1 192.168.50.113 25
45.137.181.194 255.255.255.255 192.168.50.1 192.168.50.113 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.50.0 255.255.254.0 On-link 192.168.50.113 281
192.168.50.113 255.255.255.255 On-link 192.168.50.113 281
192.168.51.255 255.255.255.255 On-link 192.168.50.113 281
192.168.250.0 255.255.255.0 On-link 192.168.250.1 26
192.168.250.1 255.255.255.255 On-link 192.168.250.1 281
192.168.250.255 255.255.255.255 On-link 192.168.250.1 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.50.113 281
224.0.0.0 240.0.0.0 On-link 192.168.250.1 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.50.113 281
255.255.255.255 255.255.255.255 On-link 192.168.250.1 281Persistent Routes:
NoneAnd finally this is the routes when VPN is connected and routes to 10.0.0.0/8 network correctly.
C:\Windows\system32>route print -4Interface List
48...........................northerncapital-mn.com
6...1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.50.1 192.168.50.113 4250
0.0.0.0 0.0.0.0 On-link 192.168.250.1 26
45.137.181.194 255.255.255.255 192.168.50.1 192.168.50.113 4251
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
192.168.50.0 255.255.254.0 On-link 192.168.50.113 4506
192.168.50.113 255.255.255.255 On-link 192.168.50.113 4506
192.168.51.255 255.255.255.255 On-link 192.168.50.113 4506
192.168.250.1 255.255.255.255 On-link 192.168.250.1 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 192.168.50.113 4506
224.0.0.0 240.0.0.0 On-link 192.168.250.1 26
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 192.168.50.113 4506
255.255.255.255 255.255.255.255 On-link 192.168.250.1 281Persistent Routes:
NoneSO, if strongwan is providing a list of accessible networks, should it not be telling the windows 8.1 client that 10.0.0.0/8 network should route to VPN and all other networks access through remote sites internet connection?
-
Hey Jimp,
So I was able to uncheck the box on the windows 8.1 vpn connection to not use the default gateway on the vpn router. This allows mobile clients to continue using their own ISP for internet traffic.
Then I manually added a route for the 10.0.0.0/8 network and that allows them to use the VOIP system at the office.However, I really don't want to have to train all the users to connect windows 8 vpn, then run a .cmd file to add the route.
Since pfsense 2.2.4 option to "provide a list of accessible networks" is checked, I'm not sure why this isn't working.I really appreciate anyone's help.
thanks,
scott -
So adding:
push "route 10.0.0.0 255.0.0.0";
in the Advanced configuration didn't work?
-
sorry, not sure I understand.
Advanced configuration of the vpn or the client? -
or are you thinking of push routes in openvpn?
-
For others following this thread, the (new) issue of split-tunnel/routing with IKEv2 was moved to this thread: https://forum.pfsense.org/index.php?topic=97627.0
