Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile IPSec split tunnel not working anymore

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    3 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      masterzen
      last edited by

      Hi,

      I've upgraded to 2.3 lately from 2.2.6 and discovered that the IPSec Mobile PSK+XAuth IKEv1 users (from OSX or Windows Shrew) can't access the Internet when their VPN is on. They can access the firewall LAN correctly though. So the tunnel is not split at all.

      Looking at the pfsense log, all the traffic seems to be sent to the firewall where the ipsec rules are preventing this traffic.
      The pfsense ipsec phase 2 configuration is correctly set in mode Tunnel with a Local Network as LAN. There's no NAT or BINAT.

      Here's the ipsec log when I connect:

      
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received XAuth vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received Cisco Unity vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> received DPD vendor ID
Apr 6 09:12:51  charon    15[IKE] <6> 5.51.XX.XX is initiating a Aggressive Mode IKE_SA
Apr 6 09:12:51  charon    15[CFG] <6> looking for XAuthInitPSK peer configs matching 195.68.XX.XX...5.51.XX.XX[dow]
Apr 6 09:12:51  charon    15[CFG] <6> selected peer config "con4"
Apr 6 09:12:51  charon    15[ENC] <con4|6>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Apr 6 09:12:51  charon    15[NET] <con4|6>sending packet: from 195.68.XX.XX[500] to 5.51.XX.XX[500] (412 bytes)
Apr 6 09:12:52  charon    15[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (100 bytes)
Apr 6 09:12:52  charon    15[ENC] <con4|6>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Apr 6 09:12:52  charon    15[IKE] <con4|6>remote host is behind NAT
Apr 6 09:12:52  charon    15[ENC] <con4|6>generating TRANSACTION request 3637907842 [ HASH CPRQ(X_USER X_PWD) ]
Apr 6 09:12:52  charon    15[NET] <con4|6>sending packet: from 195.68.XX.XX[4500] to 5.51.XX.XX[4500] (76 bytes)
Apr 6 09:12:52  charon    05[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (92 bytes)
Apr 6 09:12:52  charon    05[ENC] <con4|6>parsed INFORMATIONAL_V1 request 3195857327 [ HASH N(INITIAL_CONTACT) ]
Apr 6 09:12:52  charon    05[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (92 bytes)
Apr 6 09:12:52  charon    05[ENC] <con4|6>parsed TRANSACTION response 3637907842 [ HASH CPRP(X_USER X_PWD) ]
Apr 6 09:12:52  charon    user 'brice' authenticated
Apr 6 09:12:52  charon    05[IKE] <con4|6>XAuth-SCRIPT succeeded for user 'brice'.
Apr 6 09:12:52  charon    05[IKE] <con4|6>XAuth authentication of 'brice' successful
Apr 6 09:12:52  charon    05[ENC] <con4|6>generating TRANSACTION request 1278365738 [ HASH CPS(X_STATUS) ]
Apr 6 09:12:52  charon    05[NET] <con4|6>sending packet: from 195.68.XX.XX[4500] to 5.51.XX.XX[4500] (76 bytes)
Apr 6 09:12:52  charon    05[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (76 bytes)
Apr 6 09:12:52  charon    05[ENC] <con4|6>parsed TRANSACTION response 1278365738 [ HASH CPA(X_STATUS) ]
Apr 6 09:12:52  charon    05[IKE] <con4|6>IKE_SA con4[6] established between 195.68.XX.XX[195.68.XX.XX]...5.51.XX.XX[dow]
Apr 6 09:12:52  charon    05[IKE] <con4|6>scheduling reauthentication in 28220s
Apr 6 09:12:52  charon    05[IKE] <con4|6>maximum IKE_SA lifetime 28760s
Apr 6 09:12:52  charon    03[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (172 bytes)
Apr 6 09:12:52  charon    03[ENC] <con4|6>unknown attribute type (28683)
Apr 6 09:12:52  charon    03[ENC] <con4|6>parsed TRANSACTION request 3437576706 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
Apr 6 09:12:52  charon    03[IKE] <con4|6>peer requested virtual IP %any
Apr 6 09:12:52  charon    03[CFG] <con4|6>reassigning offline lease to 'brice'
Apr 6 09:12:52  charon    03[IKE] <con4|6>assigning virtual IP 192.168.25.1 to peer 'brice'
Apr 6 09:12:52  charon    03[ENC] <con4|6>generating TRANSACTION response 3437576706 [ HASH CPRP(ADDR DNS DNS U_DEFDOM U_SPLITDNS U_SAVEPWD) ]
Apr 6 09:12:52  charon    03[NET] <con4|6>sending packet: from 195.68.XX.XX[4500] to 5.51.XX.XX[4500] (124 bytes)
Apr 6 09:12:52  charon    03[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (300 bytes)
Apr 6 09:12:52  charon    03[ENC] <con4|6>parsed QUICK_MODE request 2299161811 [ HASH SA No ID ID ]
Apr 6 09:12:52  charon    03[ENC] <con4|6>generating QUICK_MODE response 2299161811 [ HASH SA No ID ID ]
Apr 6 09:12:52  charon    03[NET] <con4|6>sending packet: from 195.68.XX.XX[4500] to 5.51.XX.XX[4500] (172 bytes)
Apr 6 09:12:52  charon    03[NET] <con4|6>received packet: from 5.51.XX.XX[4500] to 195.68.XX.XX[4500] (60 bytes)
Apr 6 09:12:52  charon    03[ENC] <con4|6>parsed QUICK_MODE request 2299161811 [ HASH ]

Apr 6 09:12:52  charon    16[JOB] ** watcher_force_nonblock: forcing NONBLOCK for the 4-th time **
Apr 6 09:12:52  charon    03[IKE] <con4|6>CHILD_SA con4{10} established with SPIs ca4ad1a1_i 0de8ca1d_o and TS 172.16.10.0/24|/0 === 192.168.25.1/32|/0</con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6></con4|6>

      On a mac, here's what racoon gives:

      
Apr  6 09:30:00 arsenic nesessionmanager[4724]: NESMLegacySession[dow ipsec:CE376059-95A9-4E74-BC20-370522C1DE30]: Received a start command from SystemUIServer[406]
Apr  6 09:30:00 arsenic nesessionmanager[4724]: NESMLegacySession[dow ipsec:CE376059-95A9-4E74-BC20-370522C1DE30]: status changed to connecting
Apr  6 09:30:00 arsenic nesessionmanager[4724]: IPSec connecting to server vpn.daysofwonder.com
Apr  6 09:30:00 arsenic nesessionmanager[4724]: IPSec Phase1 starting.
Apr  6 09:30:00 arsenic racoon[6788]: accepted connection on vpn control socket.
Apr  6 09:30:00 arsenic racoon[6788]: IPSec connecting to server 195.68.XX.XX
Apr  6 09:30:00 arsenic racoon[6788]: Connecting.
Apr  6 09:30:00 arsenic racoon[6788]: IPSec Phase 1 started (Initiated by me).
Apr  6 09:30:00 arsenic racoon[6788]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Apr  6 09:30:00 arsenic racoon[6788]: >>>>> phase change status = Phase 1 started by us
Apr  6 09:30:00 arsenic racoon[6788]: IKEv1 Phase 1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Apr  6 09:30:00 arsenic racoon[6788]: >>>>> phase change status = Phase 1 started by peer
Apr  6 09:30:00 arsenic racoon[6788]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Apr  6 09:30:00 arsenic racoon[6788]: IKEv1 Phase 1 Initiator: success. (Initiator, Aggressive-Mode).
Apr  6 09:30:00 arsenic racoon[6788]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Apr  6 09:30:00 arsenic racoon[6788]: IKE Packet: transmit success. (Information message).
Apr  6 09:30:00 arsenic racoon[6788]: IKEv1 Information-Notice: transmit success. (ISAKMP-SA).
Apr  6 09:30:00 arsenic racoon[6788]: IPSec Phase 1 established (Initiated by me).
Apr  6 09:30:00 arsenic racoon[6788]: IPSec Extended Authentication requested.
Apr  6 09:30:00 arsenic nesessionmanager[4724]: IPSec requesting Extended Authentication.
Apr  6 09:30:00 arsenic nesessionmanager[4724]: IPSec sending Extended Authentication.
Apr  6 09:30:00 arsenic racoon[6788]: IKE Packet: transmit success. (Mode-Config message).
Apr  6 09:30:00 arsenic racoon[6788]: IPSec Extended Authentication sent.
Apr  6 09:30:01 arsenic racoon[6788]: IKEv1 XAUTH: success. (XAUTH Status is OK).
Apr  6 09:30:01 arsenic racoon[6788]: IPSec Extended Authentication Passed.
Apr  6 09:30:01 arsenic racoon[6788]: IKE Packet: transmit success. (Mode-Config message).
Apr  6 09:30:01 arsenic racoon[6788]: IKEv1 Config: retransmited. (Mode-Config retransmit).
Apr  6 09:30:01 arsenic racoon[6788]: IPSec Network Configuration requested.
Apr  6 09:30:01 arsenic racoon[6788]: IPSec Network Configuration established.
Apr  6 09:30:01 arsenic racoon[6788]: >>>>> phase change status = Phase 1 established
Apr  6 09:30:01 arsenic racoon[6788]: IKE Packet: receive success. (MODE-Config).
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration started.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 192.168.25.1.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: SAVE-PASSWORD = 0.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.16.10.170.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.16.10.190.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: DEF-DOMAIN = (null).
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: SPLITDNS-NAME[0] = internalp.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 192.168.25.1/32.
Apr  6 09:30:01 arsenic kernel[0]: utun_ctl_connect: creating interface utun0
Apr  6 09:30:01 arsenic kernel[0]: utun0: is now delegating en4 (type 0x6, family 2, sub-family 0)
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Phase2 starting.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration established.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Phase1 established.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration started.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = 192.168.25.1.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: SAVE-PASSWORD = 0.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.16.10.170.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: INTERNAL-IP4-DNS = 172.16.10.190.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: DEF-DOMAIN = (null).
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: SPLITDNS-NAME[0] = internalp.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration: DEFAULT-ROUTE = local-address 192.168.25.1/32.
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Network Configuration established.
Apr  6 09:30:01 arsenic configd[50]: network changed: v4(utun0+:192.168.25.1, en4) DNS! Proxy! SMB
Apr  6 09:30:01 arsenic racoon[6788]: IPSec Phase 2 started (Initiated by me).
Apr  6 09:30:01 arsenic racoon[6788]: >>>>> phase change status = Phase 2 started
Apr  6 09:30:01 arsenic racoon[6788]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
Apr  6 09:30:01 arsenic configd[50]: network changed
Apr  6 09:30:01 arsenic racoon[6788]: mismatched ID was returned - ignored because nat traversal is being used.
Apr  6 09:30:01 arsenic racoon[6788]: attribute has been modified.
Apr  6 09:30:01 arsenic racoon[6788]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).
Apr  6 09:30:01 arsenic racoon[6788]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
Apr  6 09:30:01 arsenic racoon[6788]: IKEv1 Phase 2 Initiator: success. (Initiator, Quick-Mode).
Apr  6 09:30:01 arsenic racoon[6788]: IPSec Phase 2 established (Initiated by me).
Apr  6 09:30:01 arsenic racoon[6788]: >>>>> phase change status = Phase 2 established
Apr  6 09:30:01 arsenic nesessionmanager[4724]: NESMLegacySession[dow ipsec:CE376059-95A9-4E74-BC20-370522C1DE30]: status changed to connected
Apr  6 09:30:01 arsenic nesessionmanager[4724]: IPSec Phase2 established.
Apr  6 09:30:01 arsenic configd[50]: network changed: v4(utun0:192.168.25.1, en4) DNS* Proxy SMB

      What looks suspicious is the "DEFAULT-ROUTE = local-address 192.168.25.1/32." part.

      Any idea what can be wrong?
      Thanks

      1 Reply Last reply Reply Quote 0
      • M
        masterzen
        last edited by

        Hi,

        Replying to myself: the problem is that the Cisco Unity extension wasn't activated in the IPSec  "Advanced Settings". Once activated, the slip-include IKEv1 option was correctly transmitted to the clients.

        Maybe this is a new pfsense 2.3 option, or the settings wasn't carried over to 2.3 from 2.2.6.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          That's expected, Unity is most often undesirable and it being enabled by default caused problems more than it helped. There isn't a sure-fire way to determine post-upgrade whether people are relying on it. Now that you have it enabled, it'll stay that way.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.