Remote Access VPN Setup
-
I use the following Freeradius on pfSense.
-
Right so I finally have a connection... I had to export the root CA cert and import that so that the generated cert was trusted... (I'm not sure it mentioned that in the documents!).
Next up is to A. make RADIUS work and b. be able to do something once I'm connected (which I'm not able to at the moment)…
-
It's the first part of the Windows client section
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html#import-the-ca-to-the-client-pcBut Windows often updates stuff etc. Please let us know if that needs updating to match whatever the current Windows requirements are.
Steve
-
@stephenw10 Aha, yes... I must have misread that... so I didn't need to download the certificate I created only the CA one?
-
You don't need the server cert on the client, no. It needs the CA so it can verify the identity of the server when it connects.
Steve
-
So next up then … I have a connection and an IP address of 192.168.205.1 subnet mask of 255.255.255.255 and no gateway address. As a result I'm connected but I can't get to any resources (typically found on my network at 192.168.10.0 and 192.168.200.0)….
I added the 192.168.205.0 network to my static routes pointing it at the LAN interface on 192.168.254.254 which seems to be where the other internal LAN's point.... but obviously without the client getting a gateway address that could prove tricky... Should I add a gateway of 192.168.205.254 ? -
Hmm, no it should not be necessary to add anything. Windows is assigning the vpn adapter as /32?
Do all clients behave like that?
We're probably going to need to see some screenshots of your setup to verify it.
Steve
-
-
Nope, that seems good. It's been a while since I configured that. Windows might have changed something I guess....
-
Right think I've got this bit solved now.... The problem was in Phase 2 where I had the local network settings set to 0.0.0.0 /24 as opposed to 0.0.0.0 /0 - I changed it to 192.168.10.0 /24 (our server network) and I can connect and ping … you guessed it, the servers... I've changed it now to 0.0.0.0 /0 and it still seems to hang together.... Next up getting it to use RADIUS authentication on our NPS ! :-) - Thanks to everyone for their assistance.
-
RTFM
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
When you have 0.0.0.0/0 everything will go over the VPN tunnel from the local client, if you have 192.168.10.0 /24 only 192.168.10.0 /24 will pass over the VPN tunnel.
-
@NogBadTheBad Yes sounds about right... the penny finally dropped ! ;-)
-
Nice. Not sure how I missed that /24. Must have been low on coffee!
