OPNsense Forum

English Forums => General Discussion => Topic started by: pawel_dor on March 30, 2016, 03:19:41 pm

Title: Internet connection over IPSec VPN
Post by: pawel_dor on March 30, 2016, 03:19:41 pm

Hello,

I configure IPSec with https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html
But after connecting to VPN, I'm losing internet connection.

Thx for your help

My config

Firewall
(http://s22.postimg.org/764ii9fe5/firewall_ipsec.png) (http://postimg.org/image/764ii9fe5/)

(http://s22.postimg.org/xfpl121bh/firewall_LAN.png) (http://postimg.org/image/xfpl121bh/)

(http://s22.postimg.org/opsi07ju5/firewall_WAN.png) (http://postimg.org/image/opsi07ju5/)

Mobile Client
(http://s22.postimg.org/bj320oo4t/Mobile_Client_Settings.png) (http://postimg.org/image/bj320oo4t/)

Phase 1
(http://s22.postimg.org/vrqfmenfx/Phase_1_part_1.png) (http://postimg.org/image/vrqfmenfx/)
(http://s22.postimg.org/dmdh8cnxp/Phase_1_part_2.png) (http://postimg.org/image/dmdh8cnxp/)

Phase 2
(http://s22.postimg.org/tppy85pgt/Phase_2_part_1.png) (http://postimg.org/image/tppy85pgt/)
(http://s22.postimg.org/8u3nwwt9p/Phase_2_part_2.png) (http://postimg.org/image/8u3nwwt9p/)

Title: Re: Internet connection over IPSec VPN
Post by: packet loss on April 03, 2016, 05:18:41 am

I guess I'll throw my 2 cents in just in case it may help. Make sure you have net.inet.ip.fastforwarding set to 0 (off) in the turntables since having it on will possibly break IPSEC. Also take a look at the following forum link which has some good information reference NIC TSO settings etc:

https://forum.opnsense.org/index.php?topic=896.0 (https://forum.opnsense.org/index.php?topic=896.0)

Not sure which NIC you are using but take a look at your TSO, LRO, RX checksum, TX checksum etc settings for your particular NIC to make sure they are turned off. Those in particular may cause you issues.

Useful link:
https://www.freebsd.org/cgi/man.cgi?ifconfig

Title: Re: Internet connection over IPSec VPN
Post by: pawel_dor on April 04, 2016, 10:23:19 am

Nothing change :(

I'm trying set net.inet.ip.fastforwarding but I cannot find the correct config file.

I found, net.inet.ip.fastforwarding = 0

Title: Re: Internet connection over IPSec VPN
Post by: Kuragari on May 03, 2016, 08:38:27 pm

Hello, i have the same problem. Connection to IPSec VPN work but no internet connection when connected.

VPN connection is stable, i think it is a configuration problem but don't know where.

Title: Re: Internet connection over IPSec VPN
Post by: DokuKäfer on May 03, 2016, 09:41:12 pm

Mobile Client

Virtual Adress Pool:   192.168.1.1



Maybe?  :D

Title: Re: Internet connection over IPSec VPN
Post by: Kuragari on May 03, 2016, 09:52:59 pm

Quote from: DokuKäfer on May 03, 2016, 09:41:12 pm

Mobile Client

Virtual Adress Pool:   192.168.1.1



Maybe?  :D

No, i get ip address, i communicate with LAN, only internet access don't work (rules and NAT are ok)

Title: Re: Internet connection over IPSec VPN
Post by: kabrutus on May 26, 2016, 03:23:26 am

I too am having the same issues.  Has this been resolved?

Title: Re: Internet connection over IPSec VPN
Post by: kabrutus on May 26, 2016, 07:34:49 am

i was able to get the internet running by changing the network to 0.0.0.0/0 in the P2 setting.  but now all the internet traffic goes through the tunnel.  Is there a way to set the client computer to use its own internet connection for browsing and use the vpn only for network/server connection?

Title: Re: Internet connection over IPSec VPN
Post by: Kuragari on May 26, 2016, 08:02:42 am

Yes, problem solved for me to with the same parameters.

Anyway, no it is not possible to use local internet connection with VPN. When VPN tunnel is up any data go trough it.

Title: Re: Internet connection over IPSec VPN
Post by: Kuragari on May 26, 2016, 09:02:01 am

I have just a last problem. VPN work on LAN and not on WAN (sometime that work, sometime not)

I have the rules in firewall (ISAKMP, IPsec NAT-T, ESP and AH) so i assume that not the problem. I am directly connected on my WAN interface.

I have just a special configuration my WAN use a private ip address because i need to do double NAT.

My WAN interface don't block private ip traffic (configuration in interfaces menu)

Somebody have an idea ?

Here the last lines in log :
May 26 08:55:38   charon: 10[JOB] deleting half open IKE_SA after timeout
May 26 08:55:32   charon: 10[NET] sending packet: from 192.168.1.2[500] to 192.168.1.19[500] (412 bytes)
May 26 08:55:32   charon: 10[IKE] sending retransmit 3 of response message ID 0, seq 1
May 26 08:55:32   charon: 10[IKE] <con1|37> sending retransmit 3 of response message ID 0, seq 1
May 26 08:55:19   charon: 10[NET] sending packet: from 192.168.1.2[500] to 192.168.1.19[500] (412 bytes)
May 26 08:55:19   charon: 10[IKE] sending retransmit 2 of response message ID 0, seq 1
May 26 08:55:19   charon: 10[IKE] <con1|37> sending retransmit 2 of response message ID 0, seq 1
May 26 08:55:18   charon: 10[NET] sending packet: from 192.168.1.2[500] to 192.168.1.19[500] (412 bytes)
May 26 08:55:18   charon: 10[IKE] received retransmit of request with ID 0, retransmitting response
May 26 08:55:18   charon: 10[IKE] <con1|37> received retransmit of request with ID 0, retransmitting response
May 26 08:55:18   charon: 10[NET] received packet: from 192.168.1.19[500] to 192.168.1.2[500] (776 bytes)