OPNsense Forum

English Forums => General Discussion => Topic started by: gctwnl on December 03, 2022, 04:30:29 am

Title: IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
Post by: gctwnl on December 03, 2022, 04:30:29 am

I have set up IKEv2 IPsec. I can connect the tunnel and I can connect to the devices on OPNsense's LAN.

WAN: my-WAN-range (5 fixed IP)
LAN: 192.168.2.2/24
IPsec net: 192.168.102.2/24
Local Net: 0.0.0.0/0 (route all traffic via VPN)
Usets: FreeRADIUS

When the laptop is connected via IKEv2 to  the OPNsense IPsec service, it gets IP address 192.168.102.163 (se in FreeRADIUS)

When connected I can connect to sites on the LAN (so from 192.168.102.163 to for instance 192.168.2.86), but I cannot get to  the internet at large. I cannot see any blocked stuff in the Firewall logging. It seems my packets disappear in a black hole when I try to reach some web site (like www.apple.com).

How can I find out what happens with the traffic from the Road Warrior laptop?

Title: Re: IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
Post by: bartjsmit on December 03, 2022, 08:44:51 am

Interface, diagnostics, packet capture. Perform it simultaneous with one on your laptop. The shark is your friend https://www.wireshark.org/

Title: Re: IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
Post by: gctwnl on December 03, 2022, 01:18:44 pm

My LAN is 192.168.2

I can test this in two ways:

• laptop (Macbook) connected to some 4G provider, then create the IPsec tunnel
• laptop (Macbook) connected to different Wifi SSID that is linked to a VLAN (192.168.3), then create the IPsec tunnel

Both give the same effect (but of course not necessarily for the same reason)

I looked at packets on the router first. When the VPN is turned on on the laptop I noticed that ICMP replies (ping) would not be returned from anything but the LAN. But what was interesting was that I also did not see the replies on the WAN:

• IPsec turned on on laptop (VLAN connected to IPsec): WAN sends out requests on behalf of 192.168.102.163 but does not register a reply
• IPsec turned off on laptop (VLAN only): WAN sends out requests on behalf of 192.168.3.89 and receives replies

I am going to investigate more later, but I have found a workaround for now. Because my Phase 2 is configured to have 0.0.0.0/0 as Local Network for the VPN client (i.e.: route all traffic through VPN). But when I turn that off, and I tell it that only LAN should be routed, I hava split VPN that works. It is not what I want, because if I take over remote machines I do not want them to have also some independent link to the internet that doesn't go through my protections, but at least I have something that can work.