IpSec Ikev2 Tunnel Up, but not passing internet traffic

JannikJung0

Hello everybody,
i'm trying to setup an IpSec VPN (Mobile Clients connect to the pfSense Router).
The connection gets established, but I'm not able to browse the web. However, I am able to access hosts through the VPN.

Im using the openSwan App on an Android Phone to connect.
Do you see anything wrong with the configuration?

Lan: 10.10.10.0/24
IpSec: 10.10.200.0/24

Here are some Screenshots:

Kind regards,
Jannik

Advanced_1.PNG_thumb

Advanced_2.PNG_thumb

logs.PNG_thumb

Mobile_Clients.PNG_thumb

Outbound_Nat.PNG_thumb

Overview.PNG_thumb

Phase1_1.PNG_thumb

Phase1_2.PNG_thumb

Phase2_1.PNG_thumb

psk.PNG_thumb

Rules_IPSec.PNG_thumb

Rules_Wan.PNG_thumb

epionier

Hello,

I think in your case there is a NAT rule missing (also for your OpenVPN)

WAN 10.21.200.0/24 * * 500 WAN ADDRESS * HOOK

Also try enabling MSS Clamping in Advanced Settings with 1400

Also switch on "Provide a list of accessible networks to clients" in "Mobile Settings"

JannikJung0

Hello epionier,

I just added the rules, enabled the two aforementioned options and now Internet Access is working!

Unfortunately DNS Resolution is not working for the LAN. E.g. I can't acces the pfsense using http://pfsense/
Furthermore it takes quite a while to load a Website. Using the same data connection and OpenVPN it is way faster. Any idea?

Kind regards,
Jannik

epionier

Hello,

good to hear. Sounds now like a DNS problem.

I assume 10.10.10.1 is your pfSense LAN because you provide that as DNS server for your IPSec connections?

Did you enable the "DNS resolver" in services for all interfaces and disabled the "DNS Forwarder" in services?

If this is all the case try to disable "MSS Clamping" again and reconnect to try if it`s better.

JannikJung0

Hello epionier,

DNS resolver is enabled and works perfectly on my LAN. I disabled the MSS Clamping and the speeds improved a little bit, also I can access pfsense using the hostname.

My last problem is, that I cant access other hosts in the network using their hostname. I did setup the DNS resolver to Register DHCP leases in the DNS Resolver.
Example: I can connect to my plex server using http://plex:32400/web/index.html on my LAN, but it is not working on either VPN (OpenVPN nor IPSec)

Any idea?

Thanks,
kind regards

Jannik

epionier

Hello, I also think your NAT LAN rule is not correctly set. The fourth item (source 10.10.10.0/24) for all destination ports should randomize source ports and not be hooked. Did you modify that because this should not be "auto created" as it says?

For your DNS problem there could be several misconfiguration. Please start a thread in the DNS section.

JannikJung0

Hello,

I think the rule was auto created, however I probably changed the randomized port to static port because of SIP.
Thank you for your help, I'll try to solve the DNS Problem in the appropriate section.

Kind regards,
Jannik

daxpfacc

I usually add IPsec subnet to a DNS resolver access list and it works flawlessly following this tutorial:

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Works in Win 10 desktop and Windows Phone 8.1, NOT in windows 10 mobile
pfsense: 2.2.6, 2.3_1, 2.3.1 dev

JannikJung0

Hi daxpfacc,

thank you for that hint. I just added both the OpenVPN and IPsec Subnets and allowed queries, but it still does not work.

Kind regards,
Jannik