On 2/6/2013 3:26 PM, [email protected] wrote: > The pluto(8) configuration keyword '%modeconfig' means to get > the virtual IP from the raccoon(8) server. The mobile IPSec client > running pluto(8) has the IP 192.168.0.22, but gets the virtual IP > 192.168.1.55 from the PFSense raccoon(8) server, so that's correct. [snip] >> Your mobile IPsec client subnet cannot be inside of the LAN >> subnet, it must be a separate subnet. >> > I haven't specified any mobile client subnet as you see from the > config snippit above. The 'left' is the mobile client and 'right' > is the PFSense raccoon(8) server. 'rightsubnet' is the LAN subnet.
^^ This part ... > The mobile client starts with 192.168.0.22 and when connecting or > sending to VPN tunneled hosts (identified by 'rightsubnet') it > masquerades its IP as the virtual IP 192.168.1.55 given out by > the raccoon(8) server in PFSense. > > Can you clarify 'cannot be inside of the LAN subnet' please? Should > I disable 'Virtual Address Pool' in VPN/IPSec/Mobileclients or change > it from 192.168.1.48/29 to a foreign (not inside LAN) subnet? And ^^ this part do not agree. Virtual Address Pool is the mobile IPsec client subnet supplied by modeconfig. If you specified a virtual address pool, you specified a mobile IPsec client subnet. That cannot overlap your LAN subnet or any other subnet currently in use. Your local PCs are sending ARP to find the IP as it's part of a local subnet, but it's not local, it's on the VPN. Use a unique subnet for the virtual address pool and it will probably work. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
