Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Windows default VPN client cannot connect to the VPN server inside Firewall
« previous
next »
Print
Pages: [
1
]
Author
Topic: Windows default VPN client cannot connect to the VPN server inside Firewall (Read 896 times)
shaerul
Newbie
Posts: 5
Karma: 0
Windows default VPN client cannot connect to the VPN server inside Firewall
«
on:
January 08, 2024, 09:03:44 pm »
I am running a VPN Server inside an OPNSense Firewall. Firewall has two LAN interfaces, LAN1 and LAN2 (shown in the figure below). Another interface is WAN which is connected to public internet through ISP. The WAN public IP block and the LAN2 public IP block are mapped through 1:1 NAT in OPNSense Firewall. I can ping and access the VPN server (e.g. SSH, HTTPS etc.) from Internet. Apparently, there is no problem with one-to-one NAT but when I try to connect the VPN server from the windows Host VPN client over Internet it fails. For testing purpose, I put another Windows Host VPN Client in LAN1 (192.168.1.10) and tried to connect the VPN Server in LAN2 (192.168.2.17). It connects flawlessly. But when I try to connect the destination IP x.x.31.17 rather than private IP 192.168.2.117 from the same Windows Host VPN client in LAN1, it fails like the Internet Windows VPN Host/Client.
It appears that the problem lies in the OPNSense configuration. Can you please help me to resolve this problem?
Internet (Public) [Public IP from ISP]
+-------------------+|Windows VPN Client|
|
|
|
|
| WAN [x.x.30.132]
+-----------------------+
| OPNsense Firewall | (1:1 NAT x.x.31.0/24 to 192.168.2.0/24)
+-----------------------+
| LAN1 | LAN2
| [192.168.1.1/24] | [192.168.2.1/24]
| |
| |
| |
| |
+ [192.168.1.10] |
|Windows VPN Client| |
|
|
+ [192.168.2.17]
|VPN Server|
VPN Server Config
-----------------
VPN Server is assigend with LAN2 IP address 192.168.2.17/24
VPN Type is L2TP/IPSec with pre-shared key
It listens to three UDP Ports 500, 1701, 4500
OPNSense Firewall Config
------------------------
Configured with both Source NAT for LAN1 and NAT 1:1 for WAN<->LAN2
NAT 1:1 is mapping the entire public ip address block x.x.31.0/24 to LAN2 192.168.2.0/24
I have configured Virtual IP address x.x.31.0/24 for WAN
Added All pass rule to Firewall->Rules->Floating, LAN2 for IPv4
Added Firewall->NAT->One-to-One WAN ExternalIP InternalIP mapping entry
Logged
shaerul
Newbie
Posts: 5
Karma: 0
Re: Windows default VPN client cannot connect to the VPN server inside Firewall
«
Reply #1 on:
January 09, 2024, 08:59:46 pm »
I have captured the tcpdump output on LAN2 port (replated the public ip with x.y.46.17),
01:42:29.073113 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.076870 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.090806 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.125374 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.142174 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 1 I ident[E]
01:42:29.142863 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 1 R ident[E]
01:42:29.161651 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.162858 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.188481 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.225337 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.226479 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.242498 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.242837 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:32.219170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.220473 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:32.240170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.240290 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:36.231026 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.234869 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:36.250860 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.251280 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:44.232301 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.236607 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:44.262613 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.262627 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:48.180123 IP x.y.46.17.4500 > 192.168.2.17.4500: isakmp-nat-keep-alive
01:42:54.241907 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:54.251962 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:54.283246 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:43:04.306005 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:43:04.371417 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Windows default VPN client cannot connect to the VPN server inside Firewall