IPsec Road Warrior - can not pass web traffic from client through the tunnel.



  • Hello Everyone,

    I have an issue with my road warrior configuration that I can not overcome and it’s been driving me crazy - I hope someone out there can help me with it.

    I’m running pfsense 2.2.6 and setup the Ipsec tunnel following this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Initially, as part of the Phase 2 configuration  I set the ’Local Network’ parameter to Lan subnet and it was all working fine. I could access all the hosts sitting on the lan perfect, stream video over the tunnel, etc.

    Now, I wanted to pass all the traffic, including my web traffic from my iPhone, back to my home to use my private internet connection.  I changed the  ‘Local Network’ parameter to 0.0.0.0/0 but that seem to break things -  The tunnel comes up but I can no longer connect to my hosts and can not browse the web ? Needless to say, if I change the configuration back to Lan subnet, it seem to work the way it was before.

    I have been searching this site for ideas but many of the earlier posts refer to different versions of pfsense and I’m not sure of this plays any part. I looked at my firewall logs but there isn;t anything being blocked. After about a week of trying things on my own, I realized I need help.

    Could someone help me please to resolve this…many thanks in advance.



  • Ok, let me add the log to see if this contains any hints towards the solution

    pr 15 17:35:37
    charon: user 'lesilverfox' authenticated
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>XAuth-SCRIPT succeeded for user 'lesilverfox'.
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>XAuth authentication of 'lesilverfox' successful
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>generating TRANSACTION request 3292585543 [ HASH CPS(X_STATUS) ]
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>sending packet: from 192.168.1.20[4500] to blanking out my public ip (76 bytes)
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (76 bytes)
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>parsed TRANSACTION response 3292585543 [ HASH CPA(X_STATUS) ]
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>IKE_SA con1[44] established between 192.168.1.20[192.168.1.20]…blanking out my public ip]
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>scheduling reauthentication in 28222s
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>maximum IKE_SA lifetime 28762s
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (172 bytes)
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>unknown attribute type (28683)
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>parsed TRANSACTION request 1639386844 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>peer requested virtual IP %any
    Apr 15 17:35:37
    charon: 13[CFG] <con1|44>reassigning offline lease to 'lesilverfox'
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>assigning virtual IP 192.168.100.1 to peer 'lesilverfox'
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>generating TRANSACTION response 1639386844 [ HASH CPRP(ADDR DNS U_DEFDOM U_SPLITDNS U_BANNER U_BANNER U_SAVEPWD) ]
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>sending packet: from 192.168.1.20[4500] to blanking out my public ip (172 bytes)
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (300 bytes)
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>parsed QUICK_MODE request 4242542335 [ HASH SA No ID ID ]
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>generating QUICK_MODE response 4242542335 [ HASH SA No ID ID ]
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>sending packet: from 192.168.1.20[4500] to blanking out my public ip (172 bytes)
    Apr 15 17:35:37
    charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (60 bytes)
    Apr 15 17:35:37
    charon: 13[ENC] <con1|44>parsed QUICK_MODE request 4242542335 [ HASH ]
    Apr 15 17:35:37
    charon: 13[IKE] <con1|44>CHILD_SA con1{2} established with SPIs cd432968_i 03a2d74a_o and TS 0.0.0.0/0|/0 === 192.168.100.1/32|/0

    Thank you for any suggestions..</con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44>



  • Let me add some additional information; so this afternoon I recreated my IPsec setup on a fresh install of pfsense 2.2.6, still the same problem. The tunnel comes up but with local network set to 0.0.0.0/0 i can not pass traffic. attached are the screen prints of the setup. I hope this helps to identify my issue..
    .

    ![IPsec Phase 2.png](/public/imported_attachments/1/IPsec Phase 2.png)
    ![IPsec Phase 2.png_thumb](/public/imported_attachments/1/IPsec Phase 2.png_thumb)
    ![IPsec Phse 1.png](/public/imported_attachments/1/IPsec Phse 1.png)
    ![IPsec Phse 1.png_thumb](/public/imported_attachments/1/IPsec Phse 1.png_thumb)
    ![IPsec mobile client.png](/public/imported_attachments/1/IPsec mobile client.png)
    ![IPsec mobile client.png_thumb](/public/imported_attachments/1/IPsec mobile client.png_thumb)
    ![FW rules Wan.png](/public/imported_attachments/1/FW rules Wan.png)
    ![FW rules Wan.png_thumb](/public/imported_attachments/1/FW rules Wan.png_thumb)



  • Issue RESOLVED!. I read on reddit a post with similar problems and it was a NAT configuration. I needed to select auto NAT and everything works just fine (I had manual NAT selected for some reason)
    I hope this maybe useful for someone..



  • I have the same problem. Can you share which NAT settings did you changed? Thanks


Log in to reply