ipsec with greenbow vpn client


I am trying to setup an ipsec vpn with greenbow vpn client. I followed the official documentation and the ipsec tunnel gets up and I can connect with the vpn client.

Strange thing is I can’t connect to the local LAN as defined in the ipsec tunnel. In the connection overview I can see the tunnel is UP and client is connected. I can ping the local LAN IP address on the digi transport vpn tunnel, but that’s all. I can’t reach any host in that LAN. In my windows machine where I have the vpn greenbow client running I can see a new route has been added. The strange thing is the new route should use gateway (using remote LAN on the digi transport) but this gateway is not reachable. Please advise.

14:32:06, 14 Jun 2019,(344) IKE SA Removed. Peer: client,Successful Negotiation
14:32:06, 14 Jun 2019,Eroute 0 VPN up peer: client
14:32:06, 14 Jun 2019,New IPSec SA created by client
14:32:06, 14 Jun 2019,(344) New Phase 2 IKE Session xxx.xxx.xxx.xxx,Responder
14:32:06, 14 Jun 2019,(343) IKE Keys Negotiated. Peer: client
14:32:06, 14 Jun 2019,(343) New Phase 1 IKE Session xxx.xxx.xxx.xxx,Responder


If the VPN tunnel is up, but you still cannot ping the remote LAN, here are a few guidelines:

Check Phase 2 settings: VPN Client address and Remote LAN address. Usually, VPN Client IP address should not belong to the remote LAN subnet.
Once VPN tunnel is up, packets are sent with ESP protocol. This protocol can be blocked by firewall.
Check that every device between the client and the VPN server does accept ESP.
Check your VPN server logs. Packets can be dropped by one of its firewall rules.
Check your ISP support ESP.
If you still cannot ping, follow ICMP traffic on VPN server LAN interface and on LAN computer interface (with Wireshark for example).
You will have an indication that encryption works.
Check the “default gateway” value in VPN Server LAN. A target on your remote LAN can receive pings but does not answer because there is a no “Default gateway” setting.
You cannot access to the computers in the LAN by their name. You must specify their IP address inside the LAN.
We recommend you to install Wireshark (http://www.wireshark.org) on one of your target computer. You can check that your pings arrive inside the LAN.