Hello Jim, On Wed., Feb. 06, 2013, Jim Pingle wrote: >On 2/6/2013 1:42 PM, [email protected] wrote: >> 192.168.1.1$ tcpdump -i lan # the same pfsense router's LAN >> 18:22:32.673240 IP 192.168.1.55.39347 > 192.168.1.88.80: Flags [S], seq >> 3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr >> 0,nop,wscale 7], length 0 >> 18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, >> length 46 >> --------------- !!! ------- >> --------------- !!! ------- >> Reply from 192.168.1.88 to telnet client fails here. > >Where did 192.168.1.55 come from? > conn here left=%defaultroute # 192.168.0.22 leftsourceip=%modeconfig # 192.168.1.55 right=12.34.56.78 rightsubnet=192.168.1.0/24
The pluto(8) configuration keyword '%modeconfig' means to get the virtual IP from the raccoon(8) server. The mobile IPSec client running pluto(8) has the IP 192.168.0.22, but gets the virtual IP 192.168.1.55 from the PFSense raccoon(8) server, so that's correct. If you looked at the PFSense screenshot there was a wrong IP address in the Mobile Clients config, sorry about that. >Your mobile IPsec client subnet cannot be inside of the LAN >subnet, it must be a separate subnet. > I haven't specified any mobile client subnet as you see from the config snippit above. The 'left' is the mobile client and 'right' is the PFSense raccoon(8) server. 'rightsubnet' is the LAN subnet. The mobile client starts with 192.168.0.22 and when connecting or sending to VPN tunneled hosts (identified by 'rightsubnet') it masquerades its IP as the virtual IP 192.168.1.55 given out by the raccoon(8) server in PFSense. Can you clarify 'cannot be inside of the LAN subnet' please? Should I disable 'Virtual Address Pool' in VPN/IPSec/Mobileclients or change it from 192.168.1.48/29 to a foreign (not inside LAN) subnet? Thanks, Michael _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
