IPSEC MUVPN - Access Client from LAN


We use IPSEC MUVPN without problems so far (using Shrew client). However we wonder if it is possible to access the client via the established tunnel form the corporate network (meaning in reverse direction)? Even if we disable the Windows firewall on the client we are not able to even ping the client via its private VPN IP address. Access in client -> server direction works as it should.

Should this be possible in general and what could be the problems this isn't working?

THX a lot.


  • Options

    Doesn't work for me either.
    However it does work for SSLVPN or IKEv2.
    For IKEv2, you need to disable Dynamic NAT on the policy which allows access to IKEv2-Users.
    And you do need to allow this incoming access on whatever PC firewall software that you have.

  • Options

    Just to be sure, there is no way to get it work with IPSEC?


  • Options
    edited July 2021

    What I found out so far.

    We have customers where it is working and customers where it is not working. The only difference between those two is the way the internet connection is realized.

    Not working:
    External interface is connected to carrier router and the Firebox is assigned a static public IP on the external interface.

    External interface is connected to a router (AVM or Lancom) which terminates the internet connection also with a static IP but the Firebox is configured as an exposed host on that router, meaning that the Firebox has a private IP configured on its external interface.

  • Options

    Since the IPSec tunnel is between the client PC and the WG firewall, I don't see why there should be a difference here.

    Consider opening a support incident on this.
    Should you find more about this, please post it.

  • Options

    OK I will do this
    THX again for you help.

  • Options

    We now have it working here with FW 12.6.4.

Sign In to comment.