Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot connect ('passthrough') to IKEv2 vpn remote work server

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 1.2k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sh500
      last edited by sh500

      Hi all,

      My work have recently enabled Windows 10 always on VPN using IKEv2.

      I am attempting to connect from behind my home pfsense router, but the connection cannot be established.

      If I connect via my 4G mobile WiFi hotspot it goes through fine. Also, if I connect via the hotspot then change to the WiFi behind pfsense, the connection remains.This is not the case.

      Any ideas what I need to do on my end to make it work from behind my pfsense router?

      NB: just to be clear, the pfsense router is not being used as a IKEv2 client or server. I am simply attempting to connect to my work VPN from behind pfsense using a Windows 10 laptop.

      Also, the pfsense router is in an unavoidable double nat setup.

      TIA

      1 Reply Last reply Reply Quote 0
      • DaddyGoD Offline
        DaddyGo
        last edited by

        @sh500 said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:

        IKEv2

        IKEv2 has a nice little built-in feature - IKEv2 protocol includes NAT traversal (NAT-T)

        but this is how it works on dual -NAT, I think that is the point of the issue

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          sh500 @DaddyGo
          last edited by

          @DaddyGo Any suggestions to make it work?

          1 Reply Last reply Reply Quote 0
          • DaddyGoD Offline
            DaddyGo
            last edited by

            @sh500 said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:

            IKEv2

            since you cannot eliminate the issue of dual -NAT - it can also be a complicated case
            (the mobile 4G hotspot works, because it only has 1 NAT (I see you changed the WiFi line above, I would have been surprised if it worked, so)

            I don't know your system well because you didn't give anything about it

            I would experiment with something like that:

            • on the first router (NAT 1) IPSec IKEv2 passthrough (if you have access to the settings and it has such a function)
              -I would set up VPN (IKEv2) on pfSense

            remember this, is not a pfSense issue
            since it is a win10 laptop, the issue with this will be whether portability will be tied to pfSense

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            1 Reply Last reply Reply Quote 0
            • S Offline
              sh500
              last edited by

              I am able to specify passthrough ports on the ISP (Plusnet UK) router. I've allowed 500 and 4500. I have also allowed the same on the pfsense WAN firewall rules.

              1 Reply Last reply Reply Quote 0
              • DaddyGoD Offline
                DaddyGo
                last edited by

                @DaddyGo said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:

                IKEv2 passthrough

                Sorry just I was busy...( job, job)
                Unfortunately, so there will be many more configurations left to work with this idea. (that's what you meant(?): ISP router with IKEv2 passthrough (NAT1) + pfSense IKEv2 passthrough(?) (NAT2) + Win10 with VPN client SW)

                I was thinking, that: on pfSense is setting up a permanent VPN + with dedicated VPN interface and the laptop is connected to this interface.

                What kind of VPN client do you use on Win10?

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  sh500 @DaddyGo
                  last edited by

                  @DaddyGo

                  ISP router with IKEv2 passthrough (NAT1) + pfSense IKEv2 passthrough(?) (NAT2) + Win10 with VPN client SW)

                  Yes the above is the current setup.

                  As is apparent, I don't know enough about this, but I was trying to apply the same principle to my separate, unrelated internal OpenVPN server. Where I had to passthrough ports on the ISP router for it to work.

                  Win10 (work administered) is using Win10's built-in IKEv2 VPN.

                  I read pfsense cannot be set-up as a IKEv2 client with username /password authentication?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.