I have a problem with an IPsec VPN setup in pfSense 2.0.2 that I wonder if anyone can help me solve.
I am trying to set up a pfSense IPsec VPN for mobile clients. The clients will be using the built-in "Cisco IPSec" client in Mac OS X 10.7 and 10.8 to connect. I have assigned the Virtual Address Pool as 192.168.5.0/24, which is disjoint from those on the pfSense gateway. In my Phase 2 Tunnel definition in pfSense, I am using "Mode: Tunnel" and "Local Network: LAN subnet" to give mobile clients access to the pfSense LAN side. Here is my problem: the setup *almost* works. When I say almost I mean that mobile clients connecting from behind a NAT appear to have connectivity to the pfSense LAN but mobile clients not behind a NAT don't. Here is an example: I have two test clients connecting. One is a Mac desktop with direct Internet connection (wired ethernet using a public IP address) and the other is a Mac laptop connecting over WiFi (and a private IP address behind a NAT). Both clients have identical client-side setups for the VPN in the networking section of System Preferences. Both clients establish connections to the pfSense VPN without problem. Tcpdump on the client side shows IPsec traffic being router over the respective WAN link. If I ping a machine on the pfSense LAN side from each client I get a reply in the case of the Mac client behind the NAT but get "Request timeout for icmp_seq ..." for the Mac client not behind the NAT. Running "tcpdump -ni enc0 icmp" on the pfSense gateway shows ICMP echo requests incoming for both clients but only an outgoing ICMP echo reply response for the Mac client behind the NAT. Running tcpdump on the machine being pinged on the pfSense LAN I see ICMP echo requests and corresponding ICMP echo replies for both Mac clients. I get the same when running tcpdump on the LAN interface of the pfSense gateway (i.e., I see matching ICMP echo request/reply crossing the LAN interface for each client). So, it seems that ping requests are reaching the system on the pfSense LAN but the ping replies are only making it back out over the IPsec VPN tunnel to the Mac client that is behind the NAT. The replies back to the client not using NAT-T appear to stop short at the pfSense gateway and are not encapsulated and sent over the IPsec tunnel. I don't believe this is an issue of firewall rules because I would assume it would affect both clients in the IPsec virtual address pool. Does anyone have any suggestions how I might get this working? Does anyone have a working setup that is using the Apple "Cisco IPSec" client that is *not* operating from behind a NAT? Any help is gratefully appreciated. Cheers, Paul. _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
