Dear all,
I trying to setup an IPsec VPN connection, the channel is working, access of local network is possible but I can't connect to the internet, means if VPN connection is enabled, browsing to the internet is not possible.
Is it any topic of rule definition or is this a matter of DNS / network configuration?
In the meanwhile I found the solution, unfortunately only be combining several different posts along the internet.
1) manual IPsec-LAN rule set on outbound NAT
- outbound NAT rule with selection "IPsec net" as source -> no difference, IPsec net (defined as 10.0.0.0/24 for mobile clients) seems not to connected to IPsec net as defined
- second try with outbound NAT rule with selection "10.0.0.0/24" as source -> working perfect
- all additional rules for EPS / Port 500 / Port 4500 and IPsec net are defined as mentioned in the wiki
overall it seems that automatic outbound NAT rule generation is not working properly and IPsec net is not combined with the virtual address pool as defined in the IPsec application.
2) definition of DNS for mobile clients
- use OPNsense-IP for DNS for mobile clients
- other DNS services would work as well but then not all the internet queries are going through the VPN connection I think
3) unbound DNS
- put IPsec net manually to access list for network 10.0.0.0/24
4) adjust firewall advanced settings
- enable "Reflection for port forwards"
- enable "Reflection for 1:1"
- enable "Automatic outbound NAT for Reflection"
5) it is now possible for me to use IPsec with a "road warrior for mobile clients" and a "IP site-to-site" tunnel in parallel
- access to internet from mobile device via Cisco IPsec client is now possible
- access to local LAN is now possible via Cisco IPsec client
Maybe there is an easier way, but I found no other working solution for IPsec. OpenVPN was tested as well and is much more easier, but OpenVPN is not possible for all my clients.
By the way: it is the same behaviour using 18.7 or 19.1