Netgate SG-1000 microFirewall

Author Topic: Mobile IPSEC clients access to LAN?  (Read 101 times)

0 Members and 1 Guest are viewing this topic.

Offline bobkoure

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Mobile IPSEC clients access to LAN?
« on: October 12, 2017, 02:52:11 pm »
I have mobile clients connecting using https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

My win10 VPN built-in client indicates 'connected', but I cannot ping my PFSense box.

I set the IPSEC mobile client assigned range to something other than a subnet of my LAN.
Do I need to change this? Or should I instead create a route?

My firewall/rules/ipsec already contains an any/any/any rule, so I don't expect the issue to be there.

Thanks!

Offline laped

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +3/-0
    • View Profile
Re: Mobile IPSEC clients access to LAN?
« Reply #1 on: October 16, 2017, 03:36:54 pm »
One way you can do this is to create a ProxyARP rule and add the network mobile client pool to the LAN interface.

Offline bobkoure

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Mobile IPSEC clients access to LAN?
« Reply #2 on: October 17, 2017, 02:41:38 pm »
Thanks for the response!

I'm still a bit puzzled - and don't have it working (sigh)
I go to firewall/virtual IPs, create a new one
interface - LAN
address type - network
address(es) - same as the range IPSEC is handing to mobile clients (172.16.48.0/24)
selected radio button Proxy ARP

Saved. ...and I still can't ping anything on my LAN segment (172.16.52.0/24)

FWIW, as part of my trying to get this working, I had created a single address virtual IP (172.16.48.1). I can ping that, get a response. I'd guess that that was the firewall responding, but I can't get to the web UI via that address.

I'm using EAP-MSCHAPv2 as that, along with exporting / importing a CA cert, lets me connect using the Win10 client, plus the android strongSWAN app.

Any ideas?

Thanks again!

Offline laped

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +3/-0
    • View Profile
Re: Mobile IPSEC clients access to LAN?
« Reply #3 on: October 17, 2017, 04:15:53 pm »
Which subnet are you using for the mobile clients?. It has to be a 172.16.0.0/16. In order to use proxyARP you have to seperate the mobile pool from the LAN segment, which you have done fine. So check the subnet and maybe use some package capture on the pfsense diagnostic page and capture on LAN and IPSec to see how far the package traverse. Checking the firewall can also help for troubleshooting. :D

For some time I have considered making a guide using IPSec/IKEv2 with PSK and ProxyARP. Sounds like it could be useful for some to get started. I'll try to make one tomorrow.

Offline laped

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +3/-0
    • View Profile
Re: Mobile IPSEC clients access to LAN?
« Reply #4 on: October 18, 2017, 02:05:35 am »
Update. you will need the 172.16.0.0/16 subnet for the mobile clients if the mobile clients should ping each other. If they only should have acess to the LAN segment then a 172.16.52.0/24 subnet should be enough.