Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN (Read 856 times)
gctwnl
Jr. Member
Posts: 60
Karma: 0
IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
«
on:
December 03, 2022, 04:30:29 am »
I have set up IKEv2 IPsec. I can connect the tunnel and I can connect to the devices on OPNsense's LAN.
WAN: my-WAN-range (5 fixed IP)
LAN: 192.168.2.2/24
IPsec net: 192.168.102.2/24
Local Net: 0.0.0.0/0 (route all traffic via VPN)
Usets: FreeRADIUS
When the laptop is connected via IKEv2 to the OPNsense IPsec service, it gets IP address 192.168.102.163 (se in FreeRADIUS)
When connected I can connect to sites on the LAN (so from 192.168.102.163 to for instance 192.168.2.86), but I cannot get to the internet at large. I cannot see any blocked stuff in the Firewall logging. It seems my packets disappear in a black hole when I try to reach some web site (like
www.apple.com
).
How can I find out what happens with the traffic from the Road Warrior laptop?
Logged
bartjsmit
Hero Member
Posts: 2017
Karma: 194
Re: IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
«
Reply #1 on:
December 03, 2022, 08:44:51 am »
Interface, diagnostics, packet capture. Perform it simultaneous with one on your laptop. The shark is your friend
https://www.wireshark.org/
Logged
gctwnl
Jr. Member
Posts: 60
Karma: 0
Re: IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN
«
Reply #2 on:
December 03, 2022, 01:18:44 pm »
My LAN is 192.168.2
I can test this in two ways:
laptop (Macbook) connected to some 4G provider, then create the IPsec tunnel
laptop (Macbook) connected to different Wifi SSID that is linked to a VLAN (192.168.3), then create the IPsec tunnel
Both give the same effect (but of course not necessarily for the same reason)
I looked at packets on the router first. When the VPN is turned on on the laptop I noticed that ICMP replies (ping) would not be returned from anything but the LAN. But what was interesting was that I
also
did not see the replies on the WAN:
IPsec turned on on laptop (VLAN connected to IPsec): WAN sends out requests on behalf of 192.168.102.163 but does not register a reply
IPsec turned off on laptop (VLAN only): WAN sends out requests on behalf of 192.168.3.89 and receives replies
I am going to investigate more later, but I have found a workaround for now. Because my Phase 2 is configured to have 0.0.0.0/0 as Local Network for the VPN client (i.e.: route all traffic through VPN). But when I turn that off, and I tell it that only LAN should be routed, I hava split VPN that works. It is not what I want, because if I take over remote machines I do not want them to have also some independent link to the internet that doesn't go through my protections, but at least I have something that can work.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
IPsec/IKEv2/FreeRADIUS works, but can only reach local LAN