Cannot connect ('passthrough') to IKEv2 vpn remote work server
-
Hi all,
My work have recently enabled Windows 10 always on VPN using IKEv2.
I am attempting to connect from behind my home pfsense router, but the connection cannot be established.
If I connect via my 4G mobile WiFi hotspot it goes through fine.
Also, if I connect via the hotspot then change to the WiFi behind pfsense, the connection remains.This is not the case.Any ideas what I need to do on my end to make it work from behind my pfsense router?
NB: just to be clear, the pfsense router is not being used as a IKEv2 client or server. I am simply attempting to connect to my work VPN from behind pfsense using a Windows 10 laptop.
Also, the pfsense router is in an unavoidable double nat setup.
TIA
-
@sh500 said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:
IKEv2
IKEv2 has a nice little built-in feature - IKEv2 protocol includes NAT traversal (NAT-T)
but this is how it works on dual -NAT, I think that is the point of the issue
-
@DaddyGo Any suggestions to make it work?
-
@sh500 said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:
IKEv2
since you cannot eliminate the issue of dual -NAT - it can also be a complicated case
(the mobile 4G hotspot works, because it only has 1 NAT (I see you changed the WiFi line above, I would have been surprised if it worked, so)I don't know your system well because you didn't give anything about it
I would experiment with something like that:
- on the first router (NAT 1) IPSec IKEv2 passthrough (if you have access to the settings and it has such a function)
-I would set up VPN (IKEv2) on pfSense
remember this, is not a pfSense issue
since it is a win10 laptop, the issue with this will be whether portability will be tied to pfSense - on the first router (NAT 1) IPSec IKEv2 passthrough (if you have access to the settings and it has such a function)
-
I am able to specify passthrough ports on the ISP (Plusnet UK) router. I've allowed 500 and 4500. I have also allowed the same on the pfsense WAN firewall rules.
-
@DaddyGo said in Cannot connect ('passthrough') to IKEv2 vpn remote work server:
IKEv2 passthrough
Sorry just I was busy...( job, job)
Unfortunately, so there will be many more configurations left to work with this idea. (that's what you meant(?): ISP router with IKEv2 passthrough (NAT1) + pfSense IKEv2 passthrough(?) (NAT2) + Win10 with VPN client SW)I was thinking, that: on pfSense is setting up a permanent VPN + with dedicated VPN interface and the laptop is connected to this interface.
What kind of VPN client do you use on Win10?
-
ISP router with IKEv2 passthrough (NAT1) + pfSense IKEv2 passthrough(?) (NAT2) + Win10 with VPN client SW)
Yes the above is the current setup.
As is apparent, I don't know enough about this, but I was trying to apply the same principle to my separate, unrelated internal OpenVPN server. Where I had to passthrough ports on the ISP router for it to work.
Win10 (work administered) is using Win10's built-in IKEv2 VPN.
I read pfsense cannot be set-up as a IKEv2 client with username /password authentication?