Bug #3016
closed
IPsec client (or branch office) can't access to Internet over VPN gateway
100%
Description
Branch office tunnel:
Mode: tunnel
Local Subnet: LAN
Remote Subnet: 0.0.0.0/0
root(1): cat /var/etc/ipsec/spd.conf
spdadd -4 192.168.71.83/32 192.168.68.0/22 any -P out none;
spdadd -4 192.168.68.0/22 192.168.71.83/32 any -P in none;
spdadd -4 192.168.68.0/22 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 192.168.68.0/22 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;
spdadd -4 0.0.0.0/0 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 0.0.0.0/0 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;
Main office
Mode: tunnel
Local Subnet: LAN
Remote Subnet: 0.0.0.0/0
: cat /var/etc/ipsec/spd.conf
spdadd -4 192.168.71.83/32 192.168.68.0/22 any -P out none;
spdadd -4 192.168.68.0/22 192.168.71.83/32 any -P in none;
spdadd -4 192.168.68.0/22 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 192.168.68.0/22 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;
Tunnel to access the Internet at the main office disappears without any messages in the /var/log/system.log
Probably the problem was introduced in the correction of the issue #2201 <http://redmine.pfsense.org/issues/2201>
Or incomplete commit <https://github.com/pfsense/pfsense/commit/2c6de2ea27e40dece742079389615211c66075ed>
Workaround:
Instead one tunnel 0.0.0.0/0 use two tunnels 0.0.0.0/1 and 128.0.0.0/1
Files
Updated by 
Updated by 
Updated by