IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range

[cb88]

So I have it the tunnel working and 192.168.0.0/22 configured for my local network and 10.0.10.1/24 set as the VPN pool, for some reason when configured as 10.0.10.0/24 it did not work correctly, eg I could connect and send packets to and from but they would not be routed to the local subnet and vice versa? After configuring the pool to 10.0.10.1 it does route traffic to at least part of my local network and back (eg I can now RDP to 192.168.0.24).

I'm not sure if there is some route or firewall issue preventing me from connecting to anything in the rest of my /22

[cb88]

Despite the fact that I can currently connect to 192.168.0.x range... of my /22 from the VPN I am thinking I need to configure NAT between them?

[Monviech (Cedrik)]

Which client do you use?

Verify the routing table of the client OS if the networks are indeed all in your routing table. Some clients/OS (like windows) dislike routes other than /24.

If not create a full tunnel, some clients do not like split tunnels. Try to use 0.0.0.0/0 in the child.

Since I have a feeling its windows native client: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#windows-10-11-native-vpn-client

Windows hated split tunneling with its native client. Rather use Wireguard or OpenVPN.

[cb88]

Windows 10/11 clients

I was able to get the split tunnel partially working, 0.0.0.0/0 traffic goes out the client's internet, and I added a route manually for 192.168.0.0 255.255.252.0 172.0.3.254 ... but I still have the issue of only about 81-82 of the hosts showing up while there are 171 hosts in the /22 up.

Most of my hosts are in 192.168.1.0/24 range so perhaps I could set that up as a /24 anyone that wanted to remote into other system would have to remote into that range though this would be equivalent to our old VPN.

[cb88]

So I changed the it to 192.168.1.0/24 and 172.0.0.0/24 so I have a /24 on both ends (the local network is actually still a /22 though).

On my lan I get 110 hosts up in 192.168.1.0 and I can only get to 49 of them over the tunnel which seems very odd. I added the route 192.168.1.0 255.255.255.255 172.0.0.254 to the client manually.

[Monviech (Cedrik)]

If you want this working properly try the NCP client on Windows or use OpenVPN or Wireguard. The native Windows client only creates pain and suffering and each Windows Update could be the last. From personal experience.

[cb88]

Hmm yeah I expected this to work basically the same as my Strongswan setup on Ubiquiti but apparently that is L2TP which is a bit different from the IKEv2 roadwarrior configuration.

I'm just baffled why I cannot communicate with some of the hosts in my local network with this setup.

Paying more for client software is hard to justify in my use case. It it were a small cost ok but NCP is not inexpensive.

[Monviech (Cedrik)]

I understand you. I tried to troubleshoot the windows clients for countless hours. I wrote these docs I linked.

I mostly just use wireguard these days and never looked back. If more authentication is needed I use OpenVPN.

Ipsec is reserved for site2site for my use cases.

And why you can not reach certain hosts is 100% a windows problem because the routes do not work correctly even if you install them by hand and pray to the IT gods. xD

[cb88]

Dang I wanted it to work so bad ha.

In any case I guess this will send me down the Wireguard route. I mean it kinda does work sort of so I will probably leave it as is as a fall back.

[Monviech (Cedrik)]

Well Im sure it can work somehow if you fiddle around with it some more and then hope the next Windows Update doesn't break it with the next arcane regedit you have to do in order to get it to work again. xD

Wireguard is a really good choice since its 100% route based. It really just works (if you need actual passwords and otp or ldap or other things due to company policies use openvpn)

[Monviech (Cedrik)]

Also to add to the fun Apple seems to hate IPsec too

https://forum.opnsense.org/index.php?topic=43766

Every OS update that uses built in native clients can be the last. Woooooo~