Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range (Read 361 times)
cb88
Newbie
Posts: 6
Karma: 0
IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
on:
November 13, 2024, 12:51:01 am »
So I have it the tunnel working and 192.168.0.0/22 configured for my local network and 10.0.10.1/24 set as the VPN pool, for some reason when configured as 10.0.10.0/24 it did not work correctly, eg I could connect and send packets to and from but they would not be routed to the local subnet and vice versa? After configuring the pool to 10.0.10.1 it does route traffic to at least part of my local network and back (eg I can now RDP to 192.168.0.24).
I'm not sure if there is some route or firewall issue preventing me from connecting to anything in the rest of my /22
«
Last Edit: November 13, 2024, 12:54:53 am by cb88
»
Logged
cb88
Newbie
Posts: 6
Karma: 0
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #1 on:
November 13, 2024, 04:15:58 pm »
Despite the fact that I can currently connect to 192.168.0.x range... of my /22 from the VPN I am thinking I need to configure NAT between them?
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #2 on:
November 13, 2024, 05:51:31 pm »
Which client do you use?
Verify the routing table of the client OS if the networks are indeed all in your routing table. Some clients/OS (like windows) dislike routes other than /24.
If not create a full tunnel, some clients do not like split tunnels. Try to use 0.0.0.0/0 in the child.
Since I have a feeling its windows native client:
https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#windows-10-11-native-vpn-client
Windows hated split tunneling with its native client. Rather use Wireguard or OpenVPN.
«
Last Edit: November 13, 2024, 06:01:02 pm by Monviech (Cedrik)
»
Logged
Hardware:
DEC740
cb88
Newbie
Posts: 6
Karma: 0
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #3 on:
November 13, 2024, 07:47:04 pm »
Windows 10/11 clients
I was able to get the split tunnel partially working, 0.0.0.0/0 traffic goes out the client's internet, and I added a route manually for 192.168.0.0 255.255.252.0 172.0.3.254 ... but I still have the issue of only about 81-82 of the hosts showing up while there are 171 hosts in the /22 up.
Most of my hosts are in 192.168.1.0/24 range so perhaps I could set that up as a /24 anyone that wanted to remote into other system would have to remote into that range though this would be equivalent to our old VPN.
Logged
cb88
Newbie
Posts: 6
Karma: 0
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #4 on:
November 13, 2024, 08:02:53 pm »
So I changed the it to 192.168.1.0/24 and 172.0.0.0/24 so I have a /24 on both ends (the local network is actually still a /22 though).
On my lan I get 110 hosts up in 192.168.1.0 and I can only get to 49 of them over the tunnel which seems very odd. I added the route 192.168.1.0 255.255.255.255 172.0.0.254 to the client manually.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #5 on:
November 13, 2024, 08:39:50 pm »
If you want this working properly try the NCP client on Windows or use OpenVPN or Wireguard. The native Windows client only creates pain and suffering and each Windows Update could be the last. From personal experience.
Logged
Hardware:
DEC740
cb88
Newbie
Posts: 6
Karma: 0
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #6 on:
November 13, 2024, 09:01:28 pm »
Hmm yeah I expected this to work basically the same as my Strongswan setup on Ubiquiti but apparently that is L2TP which is a bit different from the IKEv2 roadwarrior configuration.
I'm just baffled why I cannot communicate with some of the hosts in my local network with this setup.
Paying more for client software is hard to justify in my use case. It it were a small cost ok but NCP is not inexpensive.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #7 on:
November 13, 2024, 09:19:52 pm »
I understand you. I tried to troubleshoot the windows clients for countless hours. I wrote these docs I linked.
I mostly just use wireguard these days and never looked back. If more authentication is needed I use OpenVPN.
Ipsec is reserved for site2site for my use cases.
And why you can not reach certain hosts is 100% a windows problem because the routes do not work correctly even if you install them by hand and pray to the IT gods. xD
Logged
Hardware:
DEC740
cb88
Newbie
Posts: 6
Karma: 0
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #8 on:
November 13, 2024, 09:31:35 pm »
Dang I wanted it to work so bad ha.
In any case I guess this will send me down the Wireguard route. I mean it kinda does work sort of so I will probably leave it as is as a fall back.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #9 on:
November 13, 2024, 09:38:29 pm »
Well Im sure it can work somehow if you fiddle around with it some more and then hope the next Windows Update doesn't break it with the next arcane regedit you have to do in order to get it to work again. xD
Wireguard is a really good choice since its 100% route based. It really just works (if you need actual passwords and otp or ldap or other things due to company policies use openvpn)
Logged
Hardware:
DEC740
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1601
Karma: 176
Re: IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range
«
Reply #10 on:
November 13, 2024, 09:40:27 pm »
Also to add to the fun Apple seems to hate IPsec too
https://forum.opnsense.org/index.php?topic=43766
Every OS update that uses built in native clients can be the last. Woooooo~
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSEC IKEv2 Roadwarrior setup can only talk to 192.168.0.x range