@jimp thanks for the tips. I think that's a bit complicated for our needs certainly right now and certainly last minute like it currently is.

Any ideas why I can't create another ipsec tunnel and point it at the other dsl connection ? I mean I can but the authentication options don't allow me to point it at my radius. I only have Mutual PSK and Mutual (something else) as options in the drop down....

I had hoped I could set up another ipsec tunnel tied to the second DSL connection, but it doesn't seem to let me.

@lfoerster
thank you very much sir.

And here is the solution to that working with 2 different VPN protocolls and keeping them transparent to both sites:
https://administrator.de/content/detail.php?id=534696&token=421#comment-1420225
and also here:
https://administrator.de/content/detail.php?id=534696&token=421#comment-1420401
That works without any errors !

@lfoerster

Thank you very much, that's perfect.
Everything works perfectly!
I still had to do an "f-route" as administrator to make it work.
As well as a reboot of my "client" machine, of the Ipsec service but also of each tunnel.

You are an extraordinary person, thank you very much.

Thank you sir.
Sadly I have only access to the web interface.
So I have found that I can see that output initiating the connection from:
Status -> Ipsec -> connect
and then reading the logs in :
System -> System Logs -> Ipsec.
Thank you for your answer though that is really useful if I will be able to ssh into the device.

Thanks, I will look into setting up OpenVPN instead.

Unfortunately we were trying to connect a Draytek Vigor 2830 which doesn't seem to support IKEv2. But we couldn't get it working with the non CARP IP anyway.

Thanks for your help

Thanks for your reply but O've already read this page and my problem doesn't apprear on it.

I've just found the solution, it's just a bug in Windows 10.

You just need to add a reg key like this :

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

Restart you computer and all work like a charm !

And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility).

Regards,

bump

@jimp

And it came back. I'm wondering if it as something to do on the client site (behind a comcast/xfinity residential router). The server direct on a 1GB's dedicated connection.

I'm guessing that either my workstation (windows 10) or the router is somehow fragmenting the packets or something. It gets spurts where it hits like 2-5MB/sec then back down to exactly 355KB/sec

What would be a good way to test this on the Windows 10 client side of things? I don't know much about the tools for testing fragments or ipsec.

@mobydick426 said in Mobile IPSec VPN using RADIUS and Windows NPS service:

/ password are not recognized. NPS didn't log anything on eventlog and Windows 10 logs an error 691

Did you ever find a resolution to this. I am seeing the same issue. Radius users test out fine in diagnostics but I can't get any users to authenticate.

If I used mschapv2 with the user/preshared key, everything is good (so I know ikev2 is working as expected).

when I flip mobile client and phase 1 to radius then nothing works.

The problem was indeed the NAT/BINAT setting in the associated phase 2. When I set it to a single IP address, the traffic exits the local pfSense via the WAN. When I set it to None, the tunnel works but without the NAT obviously. How do I enable NAT correctly here?

Here is the answer: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

@lifespeed said in Safe IKEv2 Configuration for pfSense and Windows 10 and macOS:

tup, but maybe that isn't needed?
VPN/IPsecPre-Shared/Keys:

I don't think it's necessary as long at the trusted key is installed. I automated that in an earlier script (which I'm still adapting, but the cert portion is relevant). I have another version which maps out multiple subnets, I just don't have access to it from here.

$Name = "NAME" $Server = "HOST" $DnsSuffix = "DnsSuffix" $RemoteNetwork = "xxxxxxxx/24" $Cert = @' -----BEGIN CERTIFICATE----- CUT AND PASTED KEY HERE -----END CERTIFICATE----- '@ ## Add the cert $EncodedCert = [system.Text.Encoding]::UTF8.GetBytes($Cert) $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”) ## Download the cert file $pfx.Import($EncodedCert); $store.Open("MaxAllowed") $store.Add($pfx) $store.Close() ## Add the connection try { Add-VpnConnection -Name $Name -ServerAddress $Server -TunnelType "Ikev2" -EncryptionLevel "Required" -AuthenticationMethod Eap -SplitTunneling -AllUserConnection -RememberCredential -PassThru -DnsSuffix $DnsSuffix } catch [Microsoft.Management.Infrastructure.CimException] { ## Ignore } Add-VpnConnectionRoute -ConnectionName $Name -DestinationPrefix $RemoteNetwork