IpSec Ikev2 Tunnel Up, but not passing internet traffic



  • Hello everybody,
    i'm trying to setup an IpSec VPN (Mobile Clients connect to the pfSense Router).
    The connection gets established, but I'm not able to browse the web. However, I am able to access hosts through the VPN.

    Im using the openSwan App on an Android Phone to connect.
    Do you see anything wrong with the configuration?

    Lan: 10.10.10.0/24
    IpSec: 10.10.200.0/24

    Here are some Screenshots:

    Kind regards,
    Jannik

























  • Hello,

    I think in your case there is a NAT rule missing (also for your OpenVPN)

    WAN  10.21.200.0/24  *  *  500  WAN ADDRESS  *  HOOK

    Also try enabling MSS Clamping in Advanced Settings with 1400

    Also switch on "Provide a list of accessible networks to clients" in "Mobile Settings"



  • Hello epionier,

    I just added the rules, enabled the two aforementioned options and now Internet Access is working!

    Unfortunately DNS Resolution is not working for the LAN. E.g. I can't acces the pfsense using http://pfsense/
    Furthermore it takes quite a while to load a Website. Using the same data connection and OpenVPN it is way faster. Any idea?

    Kind regards,
    Jannik



  • Hello,

    good to hear. Sounds now like a DNS problem.

    I assume 10.10.10.1 is your pfSense LAN because you provide that as DNS server for your IPSec connections?

    Did you enable the "DNS resolver" in services for all interfaces and disabled the "DNS Forwarder" in services?

    If this is all the case try to disable "MSS Clamping" again and reconnect to try if it`s better.



  • Hello epionier,

    DNS resolver is  enabled and works perfectly on my LAN. I disabled the MSS Clamping and the speeds improved a little bit, also I can access pfsense using the hostname.

    My last problem is, that I cant access other hosts in the network using their hostname. I did setup the DNS resolver to Register DHCP leases in the DNS Resolver.
    Example: I can connect to my plex server using http://plex:32400/web/index.html on my LAN, but it is not working on either VPN (OpenVPN nor IPSec)

    Any idea?

    Thanks,
    kind regards

    Jannik



  • Hello, I also think your NAT LAN rule is not correctly set. The fourth item (source 10.10.10.0/24) for all destination ports should randomize source ports and not be hooked. Did you modify that because this should not be "auto created" as it says?

    For your DNS problem there could be several misconfiguration. Please start a thread in the DNS section.



  • Hello,

    I think the rule was auto created, however I probably changed the randomized port to static port because of SIP.
    Thank you for your help, I'll try to solve the DNS Problem in the appropriate section.

    Kind regards,
    Jannik



  • I usually add IPsec subnet to a DNS resolver access list and it works flawlessly following this tutorial:

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    Works in Win 10 desktop and Windows Phone 8.1, NOT in windows 10 mobile
    pfsense: 2.2.6, 2.3_1, 2.3.1 dev



  • Hi daxpfacc,

    thank you for that hint. I just added both the OpenVPN and IPsec Subnets and allowed queries, but it still does not work.

    Kind regards,
    Jannik


Log in to reply