OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: steffda on February 27, 2019, 11:35:28 pm

Title: Mobile does not use established IKEv2/IPsec VPN tunnel
Post by: steffda on February 27, 2019, 11:35:28 pm

Hello everybody,
I have a big problem with my IKEv2/IPsec VPN since today.
Until yesterday evening, everything worked fine, connection to the vServer, IPsec connection, etc.
From today I have the following phenomenon:
My phone sets up the IPsec tunnel, hand shows VPN status connected. OPNsense IPsec -> Lease Status shows that the mobile phone has been assigned an IP address and the tunnel has been established.
But, if I test the external IP on the phone, it shows the, which comes from my Internet provider (via WLAN) or from my Mobile network provider (without WLAN). Now, when I call a webpage, it gets load it, but there is nothing in the firewall's live log.
I've already rebooted OPNsense, as well as reset my phone to factory settings, but nothing helps.

All this happened after changing the Dead Peer Detection parameter in the IPsec Phase1 settings, other parameters were not changed.
Whether it is related, but I can not say, is just a network with many components ;).

And something else I noticed: When everything worked, I had a timeout on the VPN connection every few minutes, so I had to reconnect. Since it stops working, I have no timeout anymore. Handy and OPNsense say they are connected. : - /

Does anyone have any idea why this might be?

Ahso ... mobile is a Lumia 950 with Windows 10 mobile and OPNsense is version 19.1.1.

greetings
steffen

Title: Re: Mobile does not use established VPN tunnel
Post by: steffda on February 28, 2019, 10:40:35 am

I've tried the same with a Windows 10 PC.
It's the same effect. The VPN connection is established, but it is not used.
ipconfig results in:

PPP_Adapter VPN
IPv4 address ..................... 172.16.99.2
Subnet mask ................... 255.255.255.255
Standard Gateway ...............

In OPNsense the following is set:
VPN -> IPsec -> Mobile Clients -> Virtual Address Pool 172.16.99.0/24

This results in the following questions for me:
1. Do I need a standard gateway, if so, how do I get that via IPsec in the network settings of the Windows PC?
2. Why is the subnet mask wrong? How and where is this to change?

Title: Re: Mobile does not use established IKEv2/IPsec VPN tunnel
Post by: steffda on March 01, 2019, 04:50:17 pm

After long, long search i found the solution and some answers here:
https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/why-doesnt-the-vpn-work-on-windows-10-mobile/607d23f9-eff0-44f6-9308-bbd250569966 (https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/why-doesnt-the-vpn-work-on-windows-10-mobile/607d23f9-eff0-44f6-9308-bbd250569966)
User dpaz_tech in that thread wrote:

Quote

In our case. the correct protocol to choose when setting up any VPN manually through the Windows 10 Mobile interface is "Automatic."