OPNsense Forum
English Forums => General Discussion => Topic started by: gctwnl on December 03, 2022, 04:30:29 am
-
I have set up IKEv2 IPsec. I can connect the tunnel and I can connect to the devices on OPNsense's LAN.
WAN: my-WAN-range (5 fixed IP)
LAN: 192.168.2.2/24
IPsec net: 192.168.102.2/24
Local Net: 0.0.0.0/0 (route all traffic via VPN)
Usets: FreeRADIUS
When the laptop is connected via IKEv2 to the OPNsense IPsec service, it gets IP address 192.168.102.163 (se in FreeRADIUS)
When connected I can connect to sites on the LAN (so from 192.168.102.163 to for instance 192.168.2.86), but I cannot get to the internet at large. I cannot see any blocked stuff in the Firewall logging. It seems my packets disappear in a black hole when I try to reach some web site (like www.apple.com).
How can I find out what happens with the traffic from the Road Warrior laptop?
-
Interface, diagnostics, packet capture. Perform it simultaneous with one on your laptop. The shark is your friend https://www.wireshark.org/
-
My LAN is 192.168.2
I can test this in two ways:
- laptop (Macbook) connected to some 4G provider, then create the IPsec tunnel
- laptop (Macbook) connected to different Wifi SSID that is linked to a VLAN (192.168.3), then create the IPsec tunnel
Both give the same effect (but of course not necessarily for the same reason)
I looked at packets on the router first. When the VPN is turned on on the laptop I noticed that ICMP replies (ping) would not be returned from anything but the LAN. But what was interesting was that I also did not see the replies on the WAN:
- IPsec turned on on laptop (VLAN connected to IPsec): WAN sends out requests on behalf of 192.168.102.163 but does not register a reply
- IPsec turned off on laptop (VLAN only): WAN sends out requests on behalf of 192.168.3.89 and receives replies
I am going to investigate more later, but I have found a workaround for now. Because my Phase 2 is configured to have 0.0.0.0/0 as Local Network for the VPN client (i.e.: route all traffic through VPN). But when I turn that off, and I tell it that only LAN should be routed, I hava split VPN that works. It is not what I want, because if I take over remote machines I do not want them to have also some independent link to the internet that doesn't go through my protections, but at least I have something that can work.