1
15.7 Legacy Series / No LAN access with mobile IPSec
« on: November 04, 2015, 05:55:21 am »Hi Everyone, I'm a recent new user to OPNSense, and am having trouble with IPSec VPN with iphone (iPhone 6S, 9.1). I can connect to the VPN just fine from my mobile device, and can pass trafficto and from the wan interface, but no access to my local network from the iPhone. I can see in the firewall logs that the traffic from the iPhone is being allowed to pass through the firewall and onto the device I'm trying to access on my Lan, but I'm never able to successfully access it. I've tried to access a web server (pt80), my security cameras, FreeNAS server, Windows RDP, all without success. I'm also unable to ping any of the devices using HE tools when connected over the VPN.
I've tried toying around with many many different settings from the PFSense forums (that's how I got IPSec setup) but haven't been able to master this one last piece. I've been using Mikrotik PPTP VPN for sometime with great success, but am wanting to move over to OPNSense ASAP.
My configuration is below for the IPSec section, as well as firewall settings. Most everything is default settings, with the exception of IPSec.
Anyone see anything I'm doing wrong?
System Info
OPNsense 15.7.17-amd64
FreeBSD 10.1-RELEASE-p19
OpenSSL 1.0.2d 9 Jul 2015
Intel(R) Atom(TM) CPU D510 @ 1.66GHz
4 CPUs: 1 package(s) x 2 core(s) x 2 HTT threads
4gb Ram
Mobile Clients
User authentication: Local Database
Group Authentication: System
Virtual Address Pool:
Provide A virtual IP: Checked
192.168.1.176
/29
DNS Servers: Checked
8.8.8.8
8.8.4.4
Tunnel Phase1
Key Exchange: V1
IP: IPV4
Interface: WAN
Authentication Method: Mutual PSK+Xauth
Negotiation Mode: Aggressive
My Identifier: My IP Address
Peer Identifier: Distinguished Name
VPNUsers
Pre-Shared Key: password123
Encryption algorithm: AES
256
Hash Algorith: SHA1
DH Key Group: 2 (1024)
Lifetime: 86400
Disable Rekey: Checked
Disable Reauth: Checked
NAT Traversal: Enable
Dead Peer Detection: Not Checked
Phase 2
Mode: Tunnel IPv4
Type: Address
0.0.0.0
/0
Nat/Binat: None
Address: Left blank
/128
Protocol: ESP
Encryption: Checked: AES, 256
Hash Algs: SHA1
PFS Keygroup: OFF
Lifetime: 28800
Auto Ping Host: Left blank
Firewall->NAT->Outbound
Automatic outbound NAT: Checked
WAN 127.0.0.0/8 192.168.1.0/24 192.168.1.176/29 * * 500 WAN address * YES Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.1.0/24 192.168.1.176/29 * * * WAN address * NO Auto created rule
Firewall->Rules->Lan
* * * LAN Address 443/80 * Anti-Lockout Rule
IPv4 * LAN net * * * * Default allow LAN to any rule
IPv6 * LAN net * * * * Default allow LAN IPv6 to any rule
IPv4 IGMP 0.0.0.0 * 224.0.0.1 * * Easy Rule: Passed from Firewall Log View
Firewall->Rules-IPSec
IPv4 * * * * * WANGW
IPv4 TCP * * * * WANGW
IPv4 * * * * * *