[solved] rw-cert - my tunnel is up but I can't route/nat to the lan

Ludw

Hello,

I try to set up a VPN between an PfSense and a Debian. I got a look to https://www.strongswan.org/uml/testresults/ikev2/rw-cert/index.html about the Client conf.

My network is :
[Control host] .1 – 192.168.0.0/24 (lan) -- .254 [PfSense] .5 – 10.0.0.0/24 (wan) -- .4 [Client]

I want to set a tunnel between PfSense and Client, like a roadwarrior.
I successfully set up a tunnel between PfSense and Client, from Client :

scheduling reauthentication in 3370s
maximum IKE_SA lifetime 3550s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
connection 'home' established successfully

And from Client, I can ping 192.168.0.254. PfSense wan nic tcpdump show :

16:19:09.328565 IP 10.0.0.4 > 10.0.0.5: ESP(spi=0xc0d1e066,seq=0x4), length 132

But from the lan nic if I ping the control host :

16:10:17.412322 IP 10.0.0.4 > 192.168.0.1: ICMP echo request, id 3432, seq 11, le

I guess I have a NAT or routing issue but I don't get it.

Can you help me to debug my VPN or to link me a nice howto about a roadwarrior cert ipsec vpn ?

Ludw

• https://doc.pfsense.org/index.php/IPsec_RSA_Authentication_Quick_Start

• Add virtual IP network (overlaping the lan -ie /25 if lan is /24-)

• Add leftsourceip (can be %config) for the the client and check : https://www.strongswan.org/uml/testresults/ikev2/virtual-ip/carol.ipsec.conf but in the /25 specified above, take care about the id (can be %config)

• Add proxy ARP if the tunnel status shows a nat-t feature

otter

I am having the same issue as you. Can you point me what exactly did you add in the Virtual IP network and the proxy arp?