Thank you sir. Sadly I have only access to the web interface. So I have found that I can see that output initiating the connection from: Status -> Ipsec -> connect and then reading the logs in : System -> System Logs -> Ipsec. Thank you for your answer though that is really useful if I will be able to ssh into the device.

Thanks, I will look into setting up OpenVPN instead.

Unfortunately we were trying to connect a Draytek Vigor 2830 which doesn't seem to support IKEv2. But we couldn't get it working with the non CARP IP anyway. Thanks for your help

Thanks for your reply but O've already read this page and my problem doesn't apprear on it. I've just found the solution, it's just a bug in Windows 10. You just need to add a reg key like this : REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f Restart you computer and all work like a charm ! And honestly for me L2TP/IPSec is the best clientless VPN solution (my users can't install client so OpenVPN is not a possibility). Regards,

bump

@jimp And it came back. I'm wondering if it as something to do on the client site (behind a comcast/xfinity residential router). The server direct on a 1GB's dedicated connection. I'm guessing that either my workstation (windows 10) or the router is somehow fragmenting the packets or something. It gets spurts where it hits like 2-5MB/sec then back down to exactly 355KB/sec What would be a good way to test this on the Windows 10 client side of things? I don't know much about the tools for testing fragments or ipsec.

@mobydick426 said in Mobile IPSec VPN using RADIUS and Windows NPS service: / password are not recognized. NPS didn't log anything on eventlog and Windows 10 logs an error 691 Did you ever find a resolution to this. I am seeing the same issue. Radius users test out fine in diagnostics but I can't get any users to authenticate. If I used mschapv2 with the user/preshared key, everything is good (so I know ikev2 is working as expected). when I flip mobile client and phase 1 to radius then nothing works.

The problem was indeed the NAT/BINAT setting in the associated phase 2. When I set it to a single IP address, the traffic exits the local pfSense via the WAN. When I set it to None, the tunnel works but without the NAT obviously. How do I enable NAT correctly here?

Here is the answer: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html

@lifespeed said in Safe IKEv2 Configuration for pfSense and Windows 10 and macOS: tup, but maybe that isn't needed? VPN/IPsecPre-Shared/Keys: I don't think it's necessary as long at the trusted key is installed. I automated that in an earlier script (which I'm still adapting, but the cert portion is relevant). I have another version which maps out multiple subnets, I just don't have access to it from here. $Name = "NAME" $Server = "HOST" $DnsSuffix = "DnsSuffix" $RemoteNetwork = "xxxxxxxx/24" $Cert = @' -----BEGIN CERTIFICATE----- CUT AND PASTED KEY HERE -----END CERTIFICATE----- '@ ## Add the cert $EncodedCert = [system.Text.Encoding]::UTF8.GetBytes($Cert) $pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”) ## Download the cert file $pfx.Import($EncodedCert); $store.Open("MaxAllowed") $store.Add($pfx) $store.Close() ## Add the connection try { Add-VpnConnection -Name $Name -ServerAddress $Server -TunnelType "Ikev2" -EncryptionLevel "Required" -AuthenticationMethod Eap -SplitTunneling -AllUserConnection -RememberCredential -PassThru -DnsSuffix $DnsSuffix } catch [Microsoft.Management.Infrastructure.CimException] { ## Ignore } Add-VpnConnectionRoute -ConnectionName $Name -DestinationPrefix $RemoteNetwork

I have a 150mbps symmetric connection. Without vpn speedtest shows the line speed but when vpn is enabled the speed drops considerably. In both tests, I am connected at the LAN side. Without VPN [image: 1583465997704-screenshot_20200306-090605_speedtest.jpg] With VPN [image: 1583466009068-screenshot_20200306-090504_speedtest.jpg] Is there a way to improve IPSec speed? What encryption cipher should i use to get best speed on Android?

This seemed to have helped with the DNS issue.

It became up after a while, I didn't change anything. Issue resolved.

That was only true for IKEv1 tunnels. IKEv2 tunnels can carry both. And VTI is not really a "tunnel" but routed IPsec so it's different yet.