IKEv2 VPN with windows 10 client can access linux machines but not windows machines in Active Directory

aznarepse · Jun 23, 2020, 4:35 PM

pfsense is configured in the network to provide routing and load balancing between two WANs and the LAN.
I am also trying to configure it as VPN (and retire the RRAS server).
I have followed the guides:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
and
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ikev2-with-eap-radius.html
and can open a tunnel and the client in windows 10 connects and holds the connection solidly.

The network Authentication and Authorization is managed by an Active Directory domain controller with NPS, which also provides the DHCP services and DNS services.
The windows 10 client can resolve well DNS in the WAN but not LAN and can also ping and access servers running Linux in the LAN. However, I cannot access any windows OS server using any protocol (apart from the DNS server, which is given in the IP configuration).
When the client connects, the DNS and WINS servers are configured correctly to the IP of the windows server, as configured in pfsense.
The user is authenticated properly and is given full access to the network; as shown in the events of the DC:
"Network Policy Server granted full access to a user because the host met the defined health policy."
...
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 192.168.2.10[4500]
Calling Station Identifier: 148.252.129.32[30311]

NAS:
NAS IPv4 Address: 192.168.2.10
NAS IPv6 Address: -
NAS Identifier: strongSwan
NAS Port-Type: Virtual
NAS Port: 1

RADIUS Client:
Client Friendly Name: pfSenseVPN
Client IP Address: 192.168.1.1

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
...

There must be something very obvious that I am missing?

I keep banging my head against this wall and am running out of ideas....
The version of pfsense is 2.4.5-RELEASE-p1 (amd64)

jimp · Jun 23, 2020, 5:22 PM

If they can reach anything at all, it's unlikely to be a problem on the clients or the firewall. First thing I'd check is the local network config/firewall on the windows systems. They may be configured to block any traffic inbound from other private subnets.

aznarepse · Jun 23, 2020, 6:49 PM

Good point. RRAS provided IPs from the main LAN subnet. I'll give it a go.

aznarepse · Jun 23, 2020, 7:09 PM

@jimp Bingo! Thank you so much. I was blind to this....

jgraham5481 · Jun 24, 2020, 5:51 AM

@aznarepse
I’m just curious how with pfsense running the vpn, how you got nps to be the dhcp server?

aznarepse · Jun 24, 2020, 7:41 AM

@jgraham5481 I did not explain myself properly with my writing. I can see how it could read that way. The domain controller has a NPC and also a DHCP and DNS services running. NPC provides the Radius server and the policies for authentication and authorization.
pfsense is managing routing between the WAN and LAN and it is assigned as the Gateway by the DHCP server (hosted in the DC) for all the devices in the LAN that use dynamic IP. When a client joins the VPN, it does in a different subnetwork with IP range assigned by pfsense. The latter does the routing between the VPN subnet and the LAN subnet for the VPN clients.