Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.4 upgrade from 2.1.5 - ipsec now disconnects mobile clients.

    Scheduled Pinned Locked Moved IPsec
    10 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottzech
      last edited by

      I've been reviewing the logs and nothing seems to jump at me.

      clients connect for 10 minutes or so and then disconnect. This config ran well for 3 years.
      Free pizza for whoever helps me figure this out!

      pfsense 2.2.4 on my hardware  - IKE1, aggressive, mutual psk
      clients are windows 7/8 using latest shrew client

      Here's the ipsec log:
      Aug 3 22:07:27 charon: 14[CFG] <con1|5>lease 192.168.253.1 by 'scott@nci-mn.com' went offline
      Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (84 bytes)
      Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 4183509262 [ HASH D ]
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for IKE_SA con1[5]
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for IKE_SA con1[5]
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>deleting IKE_SA con1[5] between 67.139.181.194[mobile@nci-mn.com]…173.160.119.193[scott@nci-mn.com]
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>deleting IKE_SA con1[5] between 67.139.181.194[mobile@nci-mn.com]…173.160.119.193[scott@nci-mn.com]
      Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (76 bytes)
      Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 3823818640 [ HASH D ]
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c95903eb
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c95903eb
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>closing CHILD_SA con1{12} with SPIs c95903eb_i (0 bytes) 27870ce9_o (110600 bytes) and TS 0.0.0.0/0|/0 === 192.168.253.1/32|/0
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>closing CHILD_SA con1{12} with SPIs c95903eb_i (0 bytes) 27870ce9_o (110600 bytes) and TS 0.0.0.0/0|/0 === 192.168.253.1/32|/0
      Aug 3 22:07:27 charon: 14[NET] <con1|5>sending packet: from 67.139.181.194[4500] to 173.160.119.193[4500] (76 bytes)
      Aug 3 22:07:27 charon: 14[ENC] <con1|5>generating INFORMATIONAL_V1 request 2282457310 [ HASH D ]
      Aug 3 22:07:27 charon: 14[IKE] <con1|5>sending DELETE for ESP CHILD_SA with SPI c9da6911</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5>

      1 Reply Last reply Reply Quote 0
      • M
        MrMoo
        last edited by

        Consider Windows built in Agile VPN (scroll down a lot) which works well using IKEv2.  The password policy with Shrewsoft is annoying enough as it is to try something else.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Not enough of the log there to say for sure what's happening.
          Set the logs for debugging as suggested at https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

          Consider switching to a newer style VPN such as https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 if your clients are all Windows 7 or later.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            scottzech
            last edited by

            jimp,
            Thanks a ton for your recommendation - I went ahead with ikev2 implementation with eap per your recommendation.
            I really appreciate your help, and pizza can be yours when you are ready!

            I do have an existing issue:
            Basic setup is 10.0.0.0/8 local network. Vpn is for remote users to access a local voip server. Remote users should not redirect other internet traffic through vpn. All other routing to internet should continue on the mobile users internet connection.
            I have enabled the "provide a list of accessible networks to clients"  feature.
            Virtual address pool is setup (192.168.250.0/24)

            When I connect using a windows 8.1 client, it continues to route all internet traffic to the VPN host, and since that is not allowed, all other internet traffic dies.  Traffic to the 10.0.0.0/8 through the vpn then works correctly.

            What I want to do is route only 10.0.0.0/8 through the vpn.

            If I go to the vpn network adapter in window 8 and uncheck "use default gateway on remote network"  then internet access on mobile end works fine, but i cannot ping the 10.0.0.0/8 network.

            Something I am missing here??
            I hope to push the config from the firewall and limit the amount of hand tuning on the windows 8.1 remotes
            You have my email if you want some pizza!

            1 Reply Last reply Reply Quote 0
            • S
              scottzech
              last edited by

              routes without VPN connected:
              C:\Windows\system32>route print -4

              Interface List
                6…1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
                5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
                3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
                1...........................Software Loopback Interface 1
                7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
              12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

              IPv4 Route Table

              Active Routes:
              Network Destination        Netmask          Gateway      Interface  Metric
                        0.0.0.0          0.0.0.0    192.168.50.1  192.168.50.113    25
                      127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                      127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                  192.168.50.0    255.255.254.0        On-link    192.168.50.113    281
                192.168.50.113  255.255.255.255        On-link    192.168.50.113    281
                192.168.51.255  255.255.255.255        On-link    192.168.50.113    281
                      224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                      224.0.0.0        240.0.0.0        On-link    192.168.50.113    281
                255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                255.255.255.255  255.255.255.255        On-link    192.168.50.113    281

              Persistent Routes:
                None

              Routes with VPN connected with vpn adapter settings set to not user remote gateway:

              Interface List
              48...........................northerncapital-mn.com
                6...1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
                5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
                3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
                1...........................Software Loopback Interface 1
                7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
              12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
              13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

              IPv4 Route Table

              Active Routes:
              Network Destination        Netmask          Gateway      Interface  Metric
                        0.0.0.0          0.0.0.0    192.168.50.1  192.168.50.113    25
                45.137.181.194  255.255.255.255    192.168.50.1  192.168.50.113    26
                      127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
                      127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
                127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                  192.168.50.0    255.255.254.0        On-link    192.168.50.113    281
                192.168.50.113  255.255.255.255        On-link    192.168.50.113    281
                192.168.51.255  255.255.255.255        On-link    192.168.50.113    281
                  192.168.250.0    255.255.255.0        On-link    192.168.250.1    26
                  192.168.250.1  255.255.255.255        On-link    192.168.250.1    281
                192.168.250.255  255.255.255.255        On-link    192.168.250.1    281
                      224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
                      224.0.0.0        240.0.0.0        On-link    192.168.50.113    281
                      224.0.0.0        240.0.0.0        On-link    192.168.250.1    281
                255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
                255.255.255.255  255.255.255.255        On-link    192.168.50.113    281
                255.255.255.255  255.255.255.255        On-link    192.168.250.1    281

              Persistent Routes:
                None

              And finally this is the routes when VPN is connected and routes to 10.0.0.0/8 network correctly.
              C:\Windows\system32>route print -4

              Interface List
              48...........................northerncapital-mn.com
                6...1e b5 7d 1a a7 3a ......Microsoft Wi-Fi Direct Virtual Adapter
                5...ac b5 7d 1a a7 3a ......Qualcomm Atheros AR9485 Wireless Network Adapter
                3...f8 a9 63 fe ad 2d ......Realtek PCIe FE Family Controller
                1...........................Software Loopback Interface 1
                7...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
              12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
              13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

              IPv4 Route Table

              Active Routes:
              Network Destination        Netmask          Gateway      Interface  Metric
                        0.0.0.0          0.0.0.0    192.168.50.1  192.168.50.113  4250
                        0.0.0.0          0.0.0.0        On-link    192.168.250.1    26
                45.137.181.194  255.255.255.255    192.168.50.1  192.168.50.113  4251
                      127.0.0.0        255.0.0.0        On-link        127.0.0.1  4531
                      127.0.0.1  255.255.255.255        On-link        127.0.0.1  4531
                127.255.255.255  255.255.255.255        On-link        127.0.0.1  4531
                  192.168.50.0    255.255.254.0        On-link    192.168.50.113  4506
                192.168.50.113  255.255.255.255        On-link    192.168.50.113  4506
                192.168.51.255  255.255.255.255        On-link    192.168.50.113  4506
                  192.168.250.1  255.255.255.255        On-link    192.168.250.1    281
                      224.0.0.0        240.0.0.0        On-link        127.0.0.1  4531
                      224.0.0.0        240.0.0.0        On-link    192.168.50.113  4506
                      224.0.0.0        240.0.0.0        On-link    192.168.250.1    26
                255.255.255.255  255.255.255.255        On-link        127.0.0.1  4531
                255.255.255.255  255.255.255.255        On-link    192.168.50.113  4506
                255.255.255.255  255.255.255.255        On-link    192.168.250.1    281

              Persistent Routes:
                None

              SO, if strongwan is providing a list of accessible networks, should it not be telling the windows 8.1 client that 10.0.0.0/8 network should route to VPN and all other networks access through remote sites internet connection?

              1 Reply Last reply Reply Quote 0
              • S
                scottzech
                last edited by

                Hey Jimp,
                So I was able to uncheck the box on the windows 8.1 vpn connection to not use the default gateway on the vpn router. This allows mobile clients to continue using their own ISP for internet traffic.
                Then I manually added a route for the 10.0.0.0/8 network and that allows them to use the VOIP system at the office.

                However, I really don't want to have to train all the users to connect windows 8 vpn, then run a .cmd file to add the route.
                Since pfsense 2.2.4 option to "provide a list of accessible networks" is checked, I'm not sure why this isn't working.

                I really appreciate anyone's help.

                thanks,
                scott

                1 Reply Last reply Reply Quote 0
                • D
                  Darkk
                  last edited by

                  So adding:

                  push "route 10.0.0.0 255.0.0.0";

                  in the Advanced configuration didn't work?

                  1 Reply Last reply Reply Quote 0
                  • S
                    scottzech
                    last edited by

                    sorry, not sure I understand.
                    Advanced configuration of the vpn or the client?

                    1 Reply Last reply Reply Quote 0
                    • S
                      scottzech
                      last edited by

                      or are you thinking of push routes in openvpn?

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        For others following this thread, the (new) issue of split-tunnel/routing with IKEv2 was moved to this thread: https://forum.pfsense.org/index.php?topic=97627.0

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.