Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 30 November 2024, 06:31:40 pm

Login with username, password and session length

Get the new Updates directly from Endian  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  EFW Community 3.3.25 - IPSec VPN problem
0 Members and 3 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: EFW Community 3.3.25 - IPSec VPN problem  (Read 61682 times)
heavymetalforever
Jr. Member
*
Offline Offline

Posts: 1



« on: Monday 30 October 2023, 05:05:39 am »

Hi all community!
I'm new on this forum so I'll try to explain my problem as clear as possible.
I've setup my Endian as follows:

RED network: 10.0.0.2/24 (behind a router, but the WAN IP of the firewall is on DMZ on router so all traffic will be forwarded)
GREEN network: 192.168.1.0/24

I also have an instance of PiHole installed, which I use for DNS resolving and network ad blocker.
It's IP is 192.168.1.80.

Everything works perfectly while inside the GREEN network. I also enabled the IPS, and the HTTP proxy as well. Several clients connects and will navigate with proxy and Pihole as DNS.

I'd like to setup a VPN connection for my smartphone in order to connect via VPN and then navigate on Internet by using the PiHole and behind the proxy even if I'm outside home.

So, I've setup all the stuff:
- VPN type IPSec: the IP range from which the appliance will assign addresses is 192.168.2.0/28.
- Created VPN tunnel, which uses certificate
- Created the VPN local user, which uses certificate too.

I downloaded the Strongswan VPN client for Android, and I setup all needed to connect: I imported RootCA certificate, as well as the personal user's certificate and the Endian Firewall certificate (the one binded on the WAN).
I've setup all certificates on the Strongswan, also matching the certificates' Subjects for authentication purposes.

The smartphone connects successfully, but after that I'm not longer able to use any device on the GREEN network (for example, a notebook will disconnect from Internet and there's no way to resume connectivity until smartphone's VPN has been disconnected).

I noticed that if I put the RED subnet (so, 10.0.0.0/24) on the "local subnet" parameter on VPN tunnel configuration, it will happen the above described. If I set instead the GREEN subnet (so, 192.168.1.0/24, which is the wanted one, I suppose) more than disabling the Internet access, I'm moreover also not able to connect to LAN devices (for example, the Firewall GUI).

I've also enabled the VPN Firewall and create proper rules from IPSEC to GREEN and from GREEN to IPSEC to permit all traffic, so in the Firewall log, for example, I can see requests from 192.168.2.1 (the first assigned IP while connecting from smartphone) to PiHole DNS server performed and accepted. But then, connection is lost.

Can someone please help me? Honestly I don't know on what to investigate more.

I also attach a connection log, if can be useful.

Thank you!
Regards
Giuseppe
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.076 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com