OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: abel408 on March 21, 2017, 07:39:57 pm

Title: Weird IPSec VPN Issue. Client cannot even ping internet or itself
Post by: abel408 on March 21, 2017, 07:39:57 pm

I have a wierd IPSec issue going on. I set up my IPSec VPN following this guide: https://docs.opnsense.org/manual/how-tos/ipsec-road.html

Everything is the same except that Negotiation mode is set to Main. Aggressive did not work.

My virtual address pool is 10.140.0.0/24
My OPNSense IP is 192.168.0.101
My LAN address is 10.128.0.0/16


My client can successfully connect and is given the ip address 10.140.0.1 from the OPNSense server. When I try to ping that address from the client, it times out. I also cannot ping or connect to anything... not even google's public DNS servers. It's like it's trying to send all traffic through the VPN.

My internal hosts can ping the IPSec client. For example, a machine at 10.128.0.50 can ping 10.140.0.1, but 10.140.0.1 cannot ping 10.128.0.50.

If I start a packet capture on the IPSec interface, I can see the ICMP request and replies... even the ones that do not go through to 10.128.0.50. If I ping 10.128.0.50 from my vpn client, the client never sees the reply and times out, but the packet capture shows the request and reply. If I ping the client from the client, all I see it the request, no reply.


I'm thinking something is wrong with the VPN routing table... My environment is slightly different the the example in the docs. My LAN address on the OPNSense box is 192.168.0.101, which connects to another router at 192.168.0.102. That internal router has the subnet 10.128.0.1 which I want the VPN clients t connect to.

Title: Re: Weird IPSec VPN Issue. Client cannot even ping internet or itself
Post by: abel408 on March 21, 2017, 09:51:03 pm

Also, my OPNsense box cannot ping the VPN client (10.140.0.1). How is it that my internal host can ping it, but not my OPNsense box?

I do not have any NAT setting set for Phase 2. It is just set to Auto and None. Could this be the case? Do I need NAT? If so, what should this be set to?

Thanks

Title: Re: Weird IPSec VPN Issue. Client cannot even ping internet or itself
Post by: Julien on March 21, 2017, 11:40:00 pm

Quote from: abel408 on March 21, 2017, 09:51:03 pm

Also, my OPNsense box cannot ping the VPN client (10.140.0.1). How is it that my internal host can ping it, but not my OPNsense box?

I do not have any NAT setting set for Phase 2. It is just set to Auto and None. Could this be the case? Do I need NAT? If so, what should this be set to?

Thanks

do you have allow any rules on your OPENVPN interface?

Title: Re: Weird IPSec VPN Issue. Client cannot even ping internet or itself
Post by: abel408 on March 22, 2017, 02:48:24 pm

This is an IPSec interface. I have an allow all rule. I've already looked at my firewall logs and nothing is being blocked.

Does anyone have a working road warrior setup? I'm pretty sure this is some sort of bug. The OPNsense box has no knowledge of the IPsec subnet. It doesn't know where to route the traffic to.