Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
IPSec VPN – Can access VPN network or Internet, not both!
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec VPN – Can access VPN network or Internet, not both! (Read 4938 times)
GreyBeard
Newbie
Posts: 4
Karma: 0
IPSec VPN – Can access VPN network or Internet, not both!
«
on:
October 10, 2019, 05:03:40 pm »
I have successfully setup IPSec VPN Road Warrior profile for a Windows 10 client using PowerShell and connect OK.
However, I can ONLY access the remote VPN LAN if the split tunnel option (found from the IPv4 Networking, Advanced, IP Settings) "use default gateway on remote network" is ENABLED
When it is enabled I CANNOT access the public Internet.
With the "use default gateway on remote network" DISABLED, I can access the public Internet, but I CANNOT access machines or services within the VPN LAN.
What is required to allow me to access:
my local LAN
the Internet
the remote VPN LAN
Ideally it would be best if I could resolve DNS names for the VPN LAN, but I'll accept being able to access remote resources via IP for now.
Thanks
Logged
GreyBeard
Newbie
Posts: 4
Karma: 0
Re: IPSec VPN – Can access VPN network or Internet, not both!
«
Reply #1 on:
October 11, 2019, 10:42:39 am »
Seems I'm not alone
This thread
https://forum.opnsense.org/index.php?topic=14141.0
Far better explains the issue and the other linked issues regarding the issues around IPSec
Logged
Tubs
Full Member
Posts: 100
Karma: 3
Re: IPSec VPN – Can access VPN network or Internet, not both!
«
Reply #2 on:
October 12, 2019, 05:23:29 am »
I shortly switched from open VPN to IPsec and was struggling with the same problem: access to LAN was possible but no access to WAN in the configuration that all traffic from client should go from client trough OPNsense.
Instead of posting my complete configuration I will give you some hints what to check. So will come closer to the problem. (English wording might be not 100% correct due to other language settings on my system)
(1) Route all network through IPSec tunnel
--> IPsec --> tunnel settings --> phase 2 --> local network
--> type: network
--> address 0.0.0.0 / 0
(2) mobile configurations
--> IPsec --> mobile clients --> client configuration --> virtual address pool
--> enabled
--> 10.10.0.0/24 (sample configuration)
--> IPsec --> mobile clients --> client configuration --> DNS server
--> enabled
--> 192.168.0.1 (example. unbound on LAN address of OPNsense)
(3) firewall: allow traffic from IPsec to WAN
--> Firewall -> IPsec
allow IPv4 * * * * * *
(if required more precise rules are needed to restrict traffic)
(4) allow IPsec network to unbound (if applicable)
--> services -> Unbound DNS access lists
--> add network 10.10.0.0 / 24 (same as in example for IPsec)
(4) NAT – route to WAN
--> Firewall -> NAT -> outbound
--> modus: hybrid (automatic rules after manual rules)
--> add
--> device: WAN
--> source address: 10.10.0.0 / 24 (same as in example for IPsec)
Logged
roundabout
Newbie
Posts: 2
Karma: 0
Re: IPSec VPN – Can access VPN network or Internet, not both!
«
Reply #3 on:
October 25, 2019, 02:42:50 pm »
Thank you
Tubs
, I was finally able to get my IPsec VPN working. I had pieced together the other parts from various posts on the web, but the part I was missing was adding the new NAT rule.
Logged
johnstonjs
Newbie
Posts: 6
Karma: 1
Re: IPSec VPN – Can access VPN network or Internet, not both!
«
Reply #4 on:
November 06, 2019, 12:31:24 am »
All,
Thank you for helping me resolve this! In the post from Tubs, entry (3) was what made the difference. I had separate firewall entries to allow IPSec traffic to LAN and WAN, and that did not work. It seems to be absolutely essential to have an all IPv4 entry to * (all).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
IPSec VPN – Can access VPN network or Internet, not both!