Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: shaerul on January 09, 2024, 12:07:11 PM

Title: OPNSense is blocking VPN client access to VPN server
Post by: shaerul on January 09, 2024, 12:07:11 PM

                    Internet                     [Public IP from ISP]
                       +-------------------+|Windows VPN Client|
                       |
                       |
                       |
                       |
                       | WAN [x.x.30.132]
            +-----------------------+
            |   OPNsense Firewall  | (1:1 NAT x.x.31.0/24 to 192.168.2.0/24)
            +-----------------------+
                       | LAN [192.168.2.1/24]
                       |
                       |
                       |
                       |
                       + [192.168.2.17]
               |VPN Server|


I am running a VPN Server inside an OPNSense Firewall. The WAN public IP block and the LAN private IP block are mapped through 1:1 NAT in OPNSense Firewall. Apparantly, there is no problem with one-to-one NAT. But when I try to connect the VPN server (x.x.31.17->192.168.2.17) from the windows Host VPN client over Internet it fails. For testing purpose I put a Windows Host VPN Client in LAN and tried to connect the VPN Server (192.168.2.17). It connects flawlessly.

VPN Type is L2TP/IPSec with pre-shared key

Can you please help me to resolve this issue?

Title: Re: OPNSense is blocking VPN client access to VPN server
Post by: shaerul on January 09, 2024, 08:52:02 PM
The udp packets captured at OPNSense firewall's LAN port are as follows (replaced public IP of the VPN client with x.y.46.17),

01:42:29.073113 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.076870 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.090806 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.125374 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.142174 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 1 I ident[E]
01:42:29.142863 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 1 R ident[E]
01:42:29.161651 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.162858 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.188481 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.225337 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.226479 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.242498 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.242837 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:32.219170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.220473 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:32.240170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.240290 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:36.231026 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.234869 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:36.250860 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.251280 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:44.232301 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.236607 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:44.262613 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.262627 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:48.180123 IP x.y.46.17.4500 > 192.168.2.17.4500: isakmp-nat-keep-alive
01:42:54.241907 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:54.251962 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:54.283246 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:43:04.306005 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:43:04.371417 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Text only | Text with Images