Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNSense is blocking VPN client access to VPN server
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNSense is blocking VPN client access to VPN server (Read 967 times)
shaerul
Newbie
Posts: 5
Karma: 0
OPNSense is blocking VPN client access to VPN server
«
on:
January 09, 2024, 12:07:11 pm »
Internet [Public IP from ISP]
+-------------------+|Windows VPN Client|
|
|
|
|
| WAN [x.x.30.132]
+-----------------------+
| OPNsense Firewall | (1:1 NAT x.x.31.0/24 to 192.168.2.0/24)
+-----------------------+
| LAN [192.168.2.1/24]
|
|
|
|
+ [192.168.2.17]
|VPN Server|
I am running a VPN Server inside an OPNSense Firewall. The WAN public IP block and the LAN private IP block are mapped through 1:1 NAT in OPNSense Firewall. Apparantly, there is no problem with one-to-one NAT. But when I try to connect the VPN server (x.x.31.17->192.168.2.17) from the windows Host VPN client over Internet it fails. For testing purpose I put a Windows Host VPN Client in LAN and tried to connect the VPN Server (192.168.2.17). It connects flawlessly.
VPN Type is L2TP/IPSec with pre-shared key
Can you please help me to resolve this issue?
Logged
shaerul
Newbie
Posts: 5
Karma: 0
Re: OPNSense is blocking VPN client access to VPN server
«
Reply #1 on:
January 09, 2024, 08:52:02 pm »
The udp packets captured at OPNSense firewall's LAN port are as follows (replaced public IP of the VPN client with x.y.46.17),
01:42:29.073113 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.076870 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.090806 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.125374 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.142174 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 1 I ident[E]
01:42:29.142863 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 1 R ident[E]
01:42:29.161651 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.162858 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.188481 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.225337 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.226479 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.242498 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.242837 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:32.219170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.220473 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:32.240170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.240290 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:36.231026 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.234869 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:36.250860 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.251280 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:44.232301 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.236607 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:44.262613 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.262627 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:48.180123 IP x.y.46.17.4500 > 192.168.2.17.4500: isakmp-nat-keep-alive
01:42:54.241907 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:54.251962 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:54.283246 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:43:04.306005 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:43:04.371417 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNSense is blocking VPN client access to VPN server