IPSec clients can not access virtual box interfaces
-
Running 2.2.5-RELEASE (amd64) on official hardware (SG-2220)
Have IPsec VPN tunnel and it has been running for some time without any issues. But I have setup VirtualBox on a server and exposed the guest VM's (Centos and windows7) via a bridged interface so they appear on the LAN just like any other machine. Internally everything works as expected.
But for some reason the IPsec clients can not connect to any of the VM's. Reviewing the pfsense logs shows nothing, no firewall blocks and noting in the IPsec logs.
Interesting that the vpn clients can access the physical host that runs Virtual Box perfectly, and any other device that is on the network range, just not the virtual machines.
Any suggestions ?
VPN IPsec Phase 1:
Key Exchange V1
Encryption: AES 128bits
Hash: SHA1
DH group: 2 (1024bit)
Lifetime: 28800
DPD enabledPhase 2:
Protocol: ESP
Encryption: AES 128 bits
Hash: SHA1
PFS key group: off
Lifetime: 3600On side A (LAN):
192.168.5.0 /24On side B (Client):
192.168.17.0 /24Firewall-Rule:
Tab IPsec: Allow all IPv4 from all to everything. -
I've just tried this and I can access the VirtualBox VM's fine over my IPsec VPN. Could there be anything on your host machine blocking this such as a software firewall or anything?
-
via a bridged interface so they appear on the LAN just like any other machine. Internally everything works as expected.
Is this adapter doing anything likes NAT? Is this perhaps your problem?
-
Good suggestions.
Below is the iptables output from the host that runs all the VM's. There are two address ranges in use here:
192.168.5.0/24 which is the intended network, all devices should operate on this one ideally
192.168.12.0/24 the second ip range created for the VM guests to operate in as a work around to this issue.
192.168.122.0/24 I have not idea what this is, given the limited range I assume it would not be causing any issues.Does this seem correct?
service iptables status Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 2 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 3 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 CHECKSUM udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 5 ACCEPT udp -- 192.168.5.0/24 0.0.0.0/0 state NEW multiport dports 111,892,2049,32769 6 ACCEPT tcp -- 192.168.5.0/24 0.0.0.0/0 state NEW multiport dports 111,892,2049,32803 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 2 ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination