[SOLVED] IPsec Road Warrior: No Internet only access to LAN

[Dobi]

Hello,

I read the following guides:
https://docs.opnsense.org/manual/how-tos/ipsec-road.html
https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eapradius.html
https://docs.opnsense.org/manual/how-tos/ipsec-rw-android.html#ikev2-eap-mschapv2-or-eap-radius

I also read the following topics on the same problem I have:
https://forum.opnsense.org/index.php?topic=11340.0
https://forum.opnsense.org/index.php?topic=19404.0
https://github.com/opnsense/core/issues/3751


Accessing the LAN I have no problems, but I don't get my IPsec clients to access the internet over VPN.

Greetings,
Dobi

[Dobi]

Here are the IPsec settings.

[Dobi]

Here are some status information.

[Dobi]

I found the solution. See attached file.

No need for NAT, no need for Reflection as described in some topics.

[danny.su]

 :'( I just follow your setting, but it not work. Could you give me some notice?
My setting info:
1.firewall -> ipsec->ipv4 * * * * *
2.firewall -> wan->IPV4 ESP * * WAN ADDRESS * * (then 500,4500)
3.firewall -> NAT->hybrid->wan ipv4 10.10.8.0/24 * * * WAN ADDRESS
4.ipsec->mobile client -> virtual address pool->10.10.8.0/24
5.ipsec->mobile client -> DNS SERVER->8.8.8.8
6.ipsec->tunnel settings->proposal 1 follow wiki
7.ipsec->tunnel settings->proposal 1 follow wiki (local network follow you 0.0.0.0/0)
Now it no access internet only lan , I have no idea how to fix it, Could you give me some advice?

[djbobyd]

I found the solution. See attached file.

No need for NAT, no need for Reflection as described in some topics.

Thanks a lot for the solution, Dobi. I've spent several hours already looking for it.
One additional step to anyone who will also try this solution. In the Firewall Rules section for the IPsec you should add an inbound rule any-to-any in order for the traffic to be allowed back. After I did this, together with the proposed solution by Dobi everything worked like a charm.
Once again, thanks a lot, Dobi!!!