Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IpSec Ikev2 Tunnel Up, but not passing internet traffic

    Scheduled Pinned Locked Moved IPsec
    9 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JannikJung0
      last edited by

      Hello everybody,
      i'm trying to setup an IpSec VPN (Mobile Clients connect to the pfSense Router).
      The connection gets established, but I'm not able to browse the web. However, I am able to access hosts through the VPN.

      Im using the openSwan App on an Android Phone to connect.
      Do you see anything wrong with the configuration?

      Lan: 10.10.10.0/24
      IpSec: 10.10.200.0/24

      Here are some Screenshots:

      Kind regards,
      Jannik
      Advanced_1.PNG
      Advanced_1.PNG_thumb
      Advanced_2.PNG
      Advanced_2.PNG_thumb
      logs.PNG
      logs.PNG_thumb
      Mobile_Clients.PNG
      Mobile_Clients.PNG_thumb
      Outbound_Nat.PNG
      Outbound_Nat.PNG_thumb
      Overview.PNG
      Overview.PNG_thumb
      Phase1_1.PNG
      Phase1_1.PNG_thumb
      Phase1_2.PNG
      Phase1_2.PNG_thumb
      Phase2_1.PNG
      Phase2_1.PNG_thumb
      psk.PNG
      psk.PNG_thumb
      Rules_IPSec.PNG
      Rules_IPSec.PNG_thumb
      Rules_Wan.PNG
      Rules_Wan.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • E
        epionier
        last edited by

        Hello,

        I think in your case there is a NAT rule missing (also for your OpenVPN)

        WAN  10.21.200.0/24  *  *  500  WAN ADDRESS  *  HOOK

        Also try enabling MSS Clamping in Advanced Settings with 1400

        Also switch on "Provide a list of accessible networks to clients" in "Mobile Settings"

        1 Reply Last reply Reply Quote 0
        • J
          JannikJung0
          last edited by

          Hello epionier,

          I just added the rules, enabled the two aforementioned options and now Internet Access is working!

          Unfortunately DNS Resolution is not working for the LAN. E.g. I can't acces the pfsense using http://pfsense/
          Furthermore it takes quite a while to load a Website. Using the same data connection and OpenVPN it is way faster. Any idea?

          Kind regards,
          Jannik

          1 Reply Last reply Reply Quote 0
          • E
            epionier
            last edited by

            Hello,

            good to hear. Sounds now like a DNS problem.

            I assume 10.10.10.1 is your pfSense LAN because you provide that as DNS server for your IPSec connections?

            Did you enable the "DNS resolver" in services for all interfaces and disabled the "DNS Forwarder" in services?

            If this is all the case try to disable "MSS Clamping" again and reconnect to try if it`s better.

            1 Reply Last reply Reply Quote 0
            • J
              JannikJung0
              last edited by

              Hello epionier,

              DNS resolver is  enabled and works perfectly on my LAN. I disabled the MSS Clamping and the speeds improved a little bit, also I can access pfsense using the hostname.

              My last problem is, that I cant access other hosts in the network using their hostname. I did setup the DNS resolver to Register DHCP leases in the DNS Resolver.
              Example: I can connect to my plex server using http://plex:32400/web/index.html on my LAN, but it is not working on either VPN (OpenVPN nor IPSec)

              Any idea?

              Thanks,
              kind regards

              Jannik

              1 Reply Last reply Reply Quote 0
              • E
                epionier
                last edited by

                Hello, I also think your NAT LAN rule is not correctly set. The fourth item (source 10.10.10.0/24) for all destination ports should randomize source ports and not be hooked. Did you modify that because this should not be "auto created" as it says?

                For your DNS problem there could be several misconfiguration. Please start a thread in the DNS section.

                1 Reply Last reply Reply Quote 0
                • J
                  JannikJung0
                  last edited by

                  Hello,

                  I think the rule was auto created, however I probably changed the randomized port to static port because of SIP.
                  Thank you for your help, I'll try to solve the DNS Problem in the appropriate section.

                  Kind regards,
                  Jannik

                  1 Reply Last reply Reply Quote 0
                  • D
                    daxpfacc
                    last edited by

                    I usually add IPsec subnet to a DNS resolver access list and it works flawlessly following this tutorial:

                    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

                    Works in Win 10 desktop and Windows Phone 8.1, NOT in windows 10 mobile
                    pfsense: 2.2.6, 2.3_1, 2.3.1 dev

                    1 Reply Last reply Reply Quote 0
                    • J
                      JannikJung0
                      last edited by

                      Hi daxpfacc,

                      thank you for that hint. I just added both the OpenVPN and IPsec Subnets and allowed queries, but it still does not work.

                      Kind regards,
                      Jannik

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.