Aaaannnndd it started working, somehow.

I played a little with "Rekey Time" and " Reauth Time" but didn't get the results I expected, so I disabled them (which is what I had before). But somehow, icmp translation started to work. Now it works but I don't know why..... :-P

Tks.

Roberto

@johnpoz
Thanks for the reply.
I think I've done that, i've also added it to the LAN and IPsec section for good measure.
9c297238-893b-4bf2-9ccf-7f8a6c17a83d-image.png
eaeb2008-15cf-4338-b279-787330cc6462-image.png
89ec900d-fe2a-4896-8a41-35813600e913-image.png

And still I get the following in the IPsec log:
a21db9c7-c0b4-4ec2-96d6-b785f499734b-image.png
I've blacked out my IP.

Thanks
Jacob

@thewaterbug said in Win10 IKEv2 Connects, but No Network Access:

@keyser

Thanks! Does putting the config file in the /conf/ folder work for all pfsense installs? It didn't work for me.

My problem may have been that I didn't rename the config file. I just put it in there with its full filename, e.g.:

config-hostname.domain.tld-20221007121918.xml

After doing some reading, I renamed it as just config.xml. I didn't know whether to put it at the root or at /conf/, so I put it in both, and it worked this time. 🤷

I have fixed it for now.

The Current tunnel configurations was setup as IKEv1. I have converted both sides of the tunnels to IKEv2 and I can now see all the SA's on the PFSENSE SIDE and they match the networks on the Fortigate Side.

I am able to pass traffic on my 2 test networks. I will add more networks on Monday....If I can pass traffic on all 14 of the networks ....then I am good. if not, IKEv2 on the PFSENSE Side provided the Ability to split connections. You can read more about split connections in this document.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#advanced-options

Thank You

@thewaterbug

Fixed:

Add-VpnConnectionRoute -ConnectionName "PI-IKEV2-VPN" -DestinationPrefix 192.168.0.0/24 -PassThru

with the Use Default Gateway . . . unchecked.

@gary-lopez viva la raza carnal!

Anyone already experienced and solved this issue?

Additional info:
both the pfsense instances are running on two VMware ESXi virtual machines (each one has 4 cores + 4GB RAM)

Mauro

@steveits said in Restrictions on IPSEC clients:

https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html

Thanks, I did try to create some scheduled firewall rules, but they don't seem to have any effect once a IPSEC connection is established. When blocking traffic, they stop the VPN connection from happening. But if the connection is already established, then the iPhone is still able to browse the internet through the VPN.

I think this needs to be set up a specific way with firewall rules, but I don't know how to do that. It could also be that having pfSense in a VM makes a difference to how this is done.

@sdedurana a error in config. Solved. Please close.

Wanted to add a bit more info here as this issue remains even after upgrading to 2.6.0 today.

My tunnels are IKEv2 in VTI mode.

Under Phase 1 Advanced Options, I set "Child SA Start Action" to "Initiate at start (VTI or Tunnel Mode)"
and
"Child SA Close Action" to "Restart/Reconnect"

Under Phase 2 > Keep Alive, I use a host on the other side of the tunnel with Keep Alive "Enable periodic keep alive check".

The tunnels do not establish if I shut down the MASTER CARP node or "Enter Persistent CARP Maintenance Mode" on the MASTER CARP node. I have to click Connect to manually establish the tunnels.

Seeing these messages in the IPsec System Log
charon[43289]: 04[CFG] trap not found, unable to acquire reqid 5002

Have anyone else seen this issue?