Cannot connect ('passthrough') to IKEv2 vpn remote work server

sh500

Hi all,

My work have recently enabled Windows 10 always on VPN using IKEv2.

I am attempting to connect from behind my home pfsense router, but the connection cannot be established.

If I connect via my 4G mobile WiFi hotspot it goes through fine. Also, if I connect via the hotspot then change to the WiFi behind pfsense, the connection remains.This is not the case.

Any ideas what I need to do on my end to make it work from behind my pfsense router?

NB: just to be clear, the pfsense router is not being used as a IKEv2 client or server. I am simply attempting to connect to my work VPN from behind pfsense using a Windows 10 laptop.

Also, the pfsense router is in an unavoidable double nat setup.

TIA

DaddyGo

@sh500 said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:

IKEv2

IKEv2 has a nice little built-in feature - IKEv2 protocol includes NAT traversal (NAT-T)

but this is how it works on dual -NAT, I think that is the point of the issue

sh500

@DaddyGo Any suggestions to make it work?

DaddyGo

@sh500 said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:

IKEv2

since you cannot eliminate the issue of dual -NAT - it can also be a complicated case
(the mobile 4G hotspot works, because it only has 1 NAT (I see you changed the WiFi line above, I would have been surprised if it worked, so)

I don't know your system well because you didn't give anything about it

I would experiment with something like that:

• on the first router (NAT 1) IPSec IKEv2 passthrough (if you have access to the settings and it has such a function)
  -I would set up VPN (IKEv2) on pfSense

remember this, is not a pfSense issue
since it is a win10 laptop, the issue with this will be whether portability will be tied to pfSense

sh500

I am able to specify passthrough ports on the ISP (Plusnet UK) router. I've allowed 500 and 4500. I have also allowed the same on the pfsense WAN firewall rules.

DaddyGo

@DaddyGo said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:

IKEv2 passthrough

Sorry just I was busy...( job, job)
Unfortunately, so there will be many more configurations left to work with this idea. (that's what you meant(?): ISP router with IKEv2 passthrough (NAT1) + pfSense IKEv2 passthrough(?) (NAT2) + Win10 with VPN client SW)

I was thinking, that: on pfSense is setting up a permanent VPN + with dedicated VPN interface and the laptop is connected to this interface.

What kind of VPN client do you use on Win10?

sh500

@DaddyGo

ISP router with IKEv2 passthrough (NAT1) + pfSense IKEv2 passthrough(?) (NAT2) + Win10 with VPN client SW)

Yes the above is the current setup.

As is apparent, I don't know enough about this, but I was trying to apply the same principle to my separate, unrelated internal OpenVPN server. Where I had to passthrough ports on the ISP router for it to work.

Win10 (work administered) is using Win10's built-in IKEv2 VPN.

I read pfsense cannot be set-up as a IKEv2 client with username /password authentication?