OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: GreyBeard on October 10, 2019, 05:03:40 pm

Title: IPSec VPN – Can access VPN network or Internet, not both!
Post by: GreyBeard on October 10, 2019, 05:03:40 pm

I have successfully setup IPSec VPN Road Warrior profile for a Windows 10 client using PowerShell and connect OK.

However, I can ONLY access the remote VPN LAN if the split tunnel option (found from the IPv4 Networking, Advanced, IP Settings) "use default gateway on remote network" is ENABLED

When it is enabled I CANNOT access the public Internet.

With the "use default gateway on remote network" DISABLED, I can access the public Internet, but I CANNOT access machines or services within the VPN LAN.

What is required to allow me to access:

• my local LAN
• the Internet
• the remote VPN LAN

Ideally it would be best if I could resolve DNS names for the VPN LAN, but I'll accept being able to access remote resources via IP for now.

Thanks

Title: Re: IPSec VPN – Can access VPN network or Internet, not both!
Post by: GreyBeard on October 11, 2019, 10:42:39 am

Seems I'm not alone

This thread https://forum.opnsense.org/index.php?topic=14141.0 (https://forum.opnsense.org/index.php?topic=14141.0)

Far better explains the issue and the other linked issues regarding the issues around IPSec

Title: Re: IPSec VPN – Can access VPN network or Internet, not both!
Post by: Tubs on October 12, 2019, 05:23:29 am

I shortly switched from open VPN to IPsec and was struggling with the same problem: access to LAN was possible but no access to WAN in the configuration that all traffic from client should go from client trough OPNsense.

Instead of posting my complete configuration I will give you some hints what to check. So will come closer to the problem. (English wording might be not 100% correct due to other language settings on my system)

(1) Route all network through IPSec tunnel
--> IPsec --> tunnel settings --> phase 2 --> local network
--> type: network
--> address 0.0.0.0 / 0

(2) mobile configurations
--> IPsec --> mobile clients --> client configuration --> virtual address pool
--> enabled
--> 10.10.0.0/24  (sample configuration)

--> IPsec --> mobile clients --> client configuration --> DNS server
--> enabled
--> 192.168.0.1  (example. unbound on LAN address of OPNsense)

(3) firewall: allow traffic from IPsec to WAN
--> Firewall -> IPsec
allow IPv4 * * * * * *
(if required more precise rules are needed to restrict traffic)

(4) allow IPsec network to unbound (if applicable)
--> services -> Unbound DNS  access lists
--> add network 10.10.0.0 / 24 (same as in example for IPsec)


(4) NAT – route to WAN
--> Firewall -> NAT -> outbound
--> modus: hybrid (automatic rules after manual rules)
--> add
--> device: WAN
--> source address: 10.10.0.0 / 24 (same as in example for IPsec)

Title: Re: IPSec VPN – Can access VPN network or Internet, not both!
Post by: roundabout on October 25, 2019, 02:42:50 pm

Thank you Tubs, I was finally able to get my IPsec VPN working.  I had pieced together the other parts from various posts on the web, but the part I was missing was adding the new NAT rule.

Title: Re: IPSec VPN – Can access VPN network or Internet, not both!
Post by: johnstonjs on November 06, 2019, 12:31:24 am

All,

Thank you for helping me resolve this!  In the post from Tubs, entry (3) was what made the difference.  I had separate firewall entries to allow IPSec traffic to LAN and WAN, and that did not work.  It seems to be absolutely essential to have an all IPv4 entry to * (all).