Windows 10 IPsec IKEv2 connection with standard Microsoft VPN Client
-
Just to confirm that I built a virtual PC with standard Windows 10 professional and the built-in VPN client works fine with our pfsense 2.3.2_1 IKE with EAP-MSCHAP.
-
The latest slow ring build of Windows 10 14986 fixes the VPN issue and everything is working great now.
I leveraged a lot of learning from around the forum and ended up with a IKEv2 using EAP and has access to the Internet with split tunnel.
I have 'challenged' users so I also build a script for installing the Windows Client using PowerShell.
It avoids the 'run as Admin problem' and elevates to admin as needed.
For someone else to use this, you need:
-
certificate file renamed from vpn.MYDOMAINHERE.COM.file to whatever your's is call
-
replace vpn.MYDOMAINHERE.COM with your vpn domain server name
-
Name the VPN Connect (RemoteNetwork)
-
customize the ip addresses of the subnets you use
-
change MYDOMAINHERE.LOCAL to be your domain extension used internally
Hope others find this useful!
write-output " " write-output " " write-output " " write-output " " write-output " " $Host.UI.RawUI.BackgroundColor = "Blue" $Host.UI.RawUI.ForeGroundColor = "White" $MyFileName = "vpn.MYDOMAINHERE.COM.file" $installCert = $PSScriptRoot + "\" + $MyFileName if (Test-Path $installCert) { } Else { Write-Host "You must have the " $MyFileName " in the same directory as the other files" Write-output "" Write-output "Please extract all the files to the same location" Write-output "" $Host.UI.RawUI.BackgroundColor = "Black" pause exit } # Get the ID and security principal of the current user account $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) # Get the security principal for the Administrator role $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator # Check to see if we are currently running "as Administrator" if ($myWindowsPrincipal.IsInRole($adminRole)) { # We are running "as Administrator" - so change the title and background color to indicate this $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)" $Host.UI.RawUI.BackgroundColor = "Blue" $Host.UI.RawUI.ForeGroundColor = "White" clear-host } else { # We are not running "as Administrator" - so relaunch as administrator # Create a new process object that starts PowerShell $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"; # Specify the current script path and name as a parameter $newProcess.Arguments = '-ExecutionPolicy Unrestricted -File "' + $myInvocation.MyCommand.Definition + '"'; # Indicate that the process should be elevated $newProcess.Verb = "runas"; # write-host $newProcess.Arguments; # Start the new process [System.Diagnostics.Process]::Start($newProcess); # Exit from the current, unelevated, process exit } # Run your code that needs to be elevated here write-output "Installing Certificate" write-output " " write-output " " # write-host $installCert Import-Certificate -FilePath $installCert -CertStoreLocation Cert:\LocalMachine\Root write-output " " write-output "Creating VPN Connection" write-output " " Add-VpnConnection -Name "RemoteNetwork" -ServerAddress "vpn.MYDOMAINHERE.COM" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -RememberCredential -DnsSuffix MYDOMAINHERE.LOCAL $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.33.0/24 -PassThru $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.34.0/24 -PassThru $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.35.0/24 -PassThru $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.36.0/24 -PassThru write-output " " write-output "Completed. " write-output " " write-output " " write-output " Success!!!!!" write-output " " write-output "once you have logged in once, it will remember the username and password" write-output " " Write-Host -NoNewLine "Press any key to continue..." $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
-
-
The problem with not working AES and higher DH Groups you can fix by setting NegotiateDH2048_AES256 in the registry. This bumps the phase 1 cipher to AES256, DH-Group 14 and SHa256 like explained here https://github.com/trailofbits/algo/issues/9 and here http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html.
What we have not solved until now are the VPN drops after a minute or so started with latest updates only on Windows 10 1607 if you have no active traffic across the VPN. Can anyone confirm this flaw? -
I've tried all of the above and created a simple powershell script that does all of the configuration including adding the registry entry for behind a NAT firewall and using DH Group 14.
I'm still getting an 809 error when the Windows 10 computer is behind a pfSense router. I.e. if I have my surface pro hooked up to teathering on my android phone which has NAT then the Surface Pro will connect to the pFsense VPN no problem.
If however i have my surface pro at work behind work's pfSense router and try and connect it to my home pfSense VPN with ipSec IKEv2 then it refuses to connect with 809 error and then a 631 informational message in the logs.
Using a Mac it works fine. Just Windows 10 that has issues.
On the client firewall version of pfSense outbound rules are set to automatic.
Any ideas as to what the problem could be? (The VPN is setup according to the ipSec and MSCHAP documentation and I've checked multiple times.
Here's the pfsense host log too which seems to indicate that it's working but then drops:
Jan 23 12:05:34
charon02[JOB] <con1|28>deleting half open IKE_SA after timeout
Jan 23 12:05:06
charon02[NET] <con1|28>sending packet: from 50.233.196.210[4500] to 10.100.0.63[4500] (1712 bytes)
Jan 23 12:05:06
charon02[IKE] <con1|28>received retransmit of request with ID 1, retransmitting response
Jan 23 12:05:06
charon02[ENC] <con1|28>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jan 23 12:05:06
charon02[NET] <con1|28>received packet: from 10.100.0.63[4500] to 50.233.196.210[4500] (1328 bytes)
Jan 23 12:05:05
charon02[NET] <con1|28>sending packet: from 50.233.196.210[4500] to 10.100.0.63[4500] (1712 bytes)
Jan 23 12:05:05
charon02[IKE] <con1|28>received retransmit of request with ID 1, retransmitting response
Jan 23 12:05:05
charon02[ENC] <con1|28>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jan 23 12:05:05
charon02[NET] <con1|28>received packet: from 10.100.0.63[4500] to 50.233.196.210[4500] (1328 bytes)
Thanks!</con1|28></con1|28></con1|28></con1|28></con1|28></con1|28></con1|28></con1|28></con1|28>
-
Hi all please try my mentioned Settings here -> https://forum.pfsense.org/index.php?topic=124394.0
I also created a german step-by-step guide with the help of the pfSense wiki (on my KB).
I hope the admins consider to update the wiki soon, I will do it if they let me :P -
Mine too was fixed with the next insider build and Windows 10 in-built client is working. However, we have a problem with the client losing connection after a period of time. Are you also seeing this? I reported it in a separate thread here.
https://forum.pfsense.org/index.php?topic=124939.0
-
Sorted it out myself. If anybody else has this issue, make sure you haven't got 'PFS key group' set to anything else but 'off' - through troubleshooting issues with it not working with latest Insider Release of Windows 10, it got switched on. Doh!
-
Hi
I've followed the docs and have an IPSEC VPN setup. It seems to be working fine from my phone & Windows 10 PC.
Under Phase 2 I've set the Local Subnet to OPT2. Does that restrict clients to that interface ?Does someone need to know the username, password and have the crt to be able to connect ?
Thanks
-
Thank you. That is really helpful
Regards RW
-
It is working even with CARP IP exactly with these settings: IKE aes 256 sha256 dh2; ESP aes auto sha1 sha256 pfs off and so on
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
But remember about adding CARP WAN IP in certificates as common name, and in Alternative Name and add it also as ip - the second alternative option.
In Phase 1 IP Address (not distinguished name) with CARP IP WAN.
If you have not two routers with carp connection, then use your normal, not virtual ip.
I can connect with native clients from Win8 and Win10 even behind a pfsense router or through mobile phone Internet.
I attached two screencasts for prove.
-
See this posting for a new updated IKEv2 EAP-MSCHAP document that works with BOTH Windows 10 AND OSX.
https://forum.pfsense.org/index.php?topic=127457.0
It combines some of the stuff in this thread in one place. Hope it helps.