Windows 10 IPsec IKEv2 connection with standard Microsoft VPN Client



  • I battled with trying to get a VPN connection working with Windows 10 so I wanted to share with others so they can avoid some of my pain.

    Main problem - when you read the guide https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 here is the most important part which others are not realizing they are doing…  Don't read the "if there are no iOS/OS X devices" sections and improve your experience with Standard Windows 10 (no special clients).

    Do use Set Encryption algorithm to 3DES & Set Hash algorithm to SHA1.  I tried the AES settings and it did not work for me after may tries.

    Otherwise you will get a "Policy Match Error", which no one explains without digging.  No Policy match means the client and server can't match encryption and hash algorithm settings.

    You will also get this in the event log :
    The error code returned on failure is 13868, which the technical value for Policy Match Error. But that is not documented on Microsoft Technet.

    To make the connect very quick… do the Advanced setup steps.  The section half way down explains: The connection has been added but with several undesirable defaults.
    in Windows 10, you get to those advanced settings
    –-- Settings -> Network & Internet -> VPN -> (Under Related Settings) Change Adapter Settings -> and then select the Connection and Properties.

    Another thing that was not clear.

    When you setup the User, the Password that matters for the VPN Connection is the word at the bottom of the page:  IPsec Pre-Shared Key
    The password on the user setup pages on PfSense User Manager/Edit is to logon to the console, not for make the VPN connection.

    Below are the Security settings of the VPN Tunnel and the Tunnel Definition that worked for me with standard Windows 10 VPN Client.

    Other resources that might help you: http://www.vpncasestudy.com/download/troubleshoot/Troubleshooting_IKE_VPN.pdf

    I'm using: 2.3.2-RELEASE (i386) built on Tue Jul 19 13:09:39 CDT 2016

    Hope that helps others DJ





  • Ok, so I got a little ahead of myself… this continues to be a work in progress.

    I used a virtual pool of IP addresses and after another Windows 10 update, now the tunnel does not work.  (Slow ring of post Anniversary Update).

    This looks interesting as route no longer routed over the tunnel and it drops after a minute. https://forum.pfsense.org/index.php?topic=119509.0

    I do have the split tunnel issue, since I was only selectively routing a few subnets.  But that did not fix the issue for me...

    ... working in progress ...



  • So it turns out that the issue I'm have is due the the current Windows Insider Preview builds at 14965 build level.  If I use a computer outside the Windows Insider program it works.

    Key items for Windows 10… You need the

    The Virtual IP Pool is not a problem.. I use a Pool pointing to addresses with don't exist in my network and I did not have to setup any special routing for it to work.

    I ended up trying both
      On phase 2 I set Local Network to:
          Type: Network
          Address: 0.0.0.0 / 0
      And Type: LAN

    Both send traffic to the local servers but neither allows me to go thru the VPN to the Internet.

    Still a work in progress...



  • I use the following powershell commands when creating ipsec vpn clients on windows 10 for my pfsense clients.  The DestinationPrefix subnets are subnets behind the pfsense firewall.

    I never have had to mess with the registry.

    I have both iphone, android, MAC and windows clients connecting and using the same doc I have no issues.  I suggest you post screenshots of your config.

    Add-VpnConnection -Name "VPN_NAME" -ServerAddress "firewall.domain.com" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -AllUserConnection
    Add-VpnConnectionRoute -ConnectionName "VPN_NAME" -DestinationPrefix 10.0.0.0/24 -PassThru
    Add-VpnConnectionRoute -ConnectionName "VPN_NAME" -DestinationPrefix 10.0.2.0/24 -PassThru
    Add-VpnConnectionRoute -ConnectionName "VPN_NAME" -DestinationPrefix 10.0.4.0/24 -PassThru
    Add-VpnConnectionRoute -ConnectionName "VPN_NAME" -DestinationPrefix 10.0.40.0/24 -PassThru



  • srtechie-dj I feel your pain. We are at identical stages in the process. Thanks for sharing the note on the insider preview. I wondered why I was able to tunnel traffic to internal hosts one day and then not. I had assumed it was upgrade to latest build of pfsense, but I now realise it is Windows 10. I will post here if I make any breakthrough myself.



  • Just to confirm that I built a virtual PC with standard Windows 10 professional and the built-in VPN client works fine with our pfsense 2.3.2_1 IKE with EAP-MSCHAP.



  • The latest slow ring build of Windows 10  14986 fixes the VPN issue and everything is working great now.

    I leveraged a lot of learning from around the forum and ended up with a IKEv2 using EAP and has access to the Internet with split tunnel.

    I have 'challenged' users so I also build a script for installing the Windows Client using PowerShell.

    It avoids the 'run as Admin problem' and elevates to admin as needed.

    For someone else to use this, you need:

    • certificate file renamed from vpn.MYDOMAINHERE.COM.file to whatever your's is call

    • replace vpn.MYDOMAINHERE.COM with your vpn domain server name

    • Name the VPN Connect (RemoteNetwork)

    • customize the ip addresses of the subnets you use

    • change MYDOMAINHERE.LOCAL to be your domain extension used internally

    Hope others find this useful!

    write-output " "
    write-output " "
    write-output " "
    write-output " "
    write-output " "
    
    $Host.UI.RawUI.BackgroundColor = "Blue"
    $Host.UI.RawUI.ForeGroundColor = "White"
    
    $MyFileName = "vpn.MYDOMAINHERE.COM.file"
    $installCert = $PSScriptRoot + "\" + $MyFileName
    
    if (Test-Path $installCert) {
    
    } Else {
    	Write-Host "You must have the "  $MyFileName  " in the same directory as the other files"
    	Write-output ""
    	Write-output "Please extract all the files to the same location"
    	Write-output ""
    	$Host.UI.RawUI.BackgroundColor = "Black"
    
    	pause
    	exit
    }
    
    # Get the ID and security principal of the current user account
    $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
    $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
    
    # Get the security principal for the Administrator role
    $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
    
    # Check to see if we are currently running "as Administrator"
    if ($myWindowsPrincipal.IsInRole($adminRole))
       {
       # We are running "as Administrator" - so change the title and background color to indicate this
       $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
       $Host.UI.RawUI.BackgroundColor = "Blue"
       $Host.UI.RawUI.ForeGroundColor = "White"
       clear-host
       }
    else
       {
       # We are not running "as Administrator" - so relaunch as administrator
    
       # Create a new process object that starts PowerShell
       $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
    
       # Specify the current script path and name as a parameter
       $newProcess.Arguments = '-ExecutionPolicy Unrestricted  -File "' + $myInvocation.MyCommand.Definition + '"';
    
       # Indicate that the process should be elevated
       $newProcess.Verb = "runas";
       # write-host $newProcess.Arguments;
       # Start the new process
       [System.Diagnostics.Process]::Start($newProcess);
       # Exit from the current, unelevated, process
       exit
    
       }
    
    # Run your code that needs to be elevated here
    
    write-output "Installing Certificate"
    write-output " "
    write-output " "
    
    # write-host $installCert
    
    Import-Certificate -FilePath $installCert -CertStoreLocation  Cert:\LocalMachine\Root
    
    write-output " "
    
    write-output "Creating VPN Connection"
    write-output " "
    
    Add-VpnConnection -Name "RemoteNetwork" -ServerAddress "vpn.MYDOMAINHERE.COM" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -RememberCredential -DnsSuffix MYDOMAINHERE.LOCAL 
    $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.33.0/24 -PassThru
    $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.34.0/24 -PassThru
    $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.35.0/24 -PassThru
    $null = Add-VpnConnectionRoute -ConnectionName "RemoteNetwork" -DestinationPrefix 192.168.36.0/24 -PassThru
    write-output " "
    
    write-output "Completed. "
    write-output " "
    write-output " "
    write-output "                 Success!!!!!"
    write-output " "
    
    write-output "once you have logged in once, it will remember the username and password"
    write-output " "
    
    Write-Host -NoNewLine "Press any key to continue..."
    $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
    
    


  • The problem with not working AES and higher DH Groups you can fix by setting NegotiateDH2048_AES256 in the registry. This bumps the phase 1 cipher to AES256, DH-Group 14 and SHa256  like explained here https://github.com/trailofbits/algo/issues/9 and here http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html.
    What we have not solved until now are the VPN drops after a minute or so started with latest updates only on Windows 10 1607 if you have no active traffic across the VPN.  Can anyone confirm this flaw?



  • I've tried all of the above and created a simple powershell script that does all of the configuration including adding the registry entry for behind a NAT firewall and using DH Group 14.

    I'm still getting an 809 error when the Windows 10 computer is behind a pfSense router. I.e. if I have my surface pro hooked up to teathering on my android phone which has NAT then the Surface Pro will connect to the pFsense VPN no problem.

    If however i have my surface pro at work behind work's pfSense router and try and connect it to my home pfSense VPN with ipSec IKEv2 then it refuses to connect with 809 error and then a 631 informational message in the logs.

    Using a Mac it works fine. Just Windows 10 that has issues.

    On the client firewall version of pfSense outbound rules are set to automatic.

    Any ideas as to what the problem could be? (The VPN is setup according to the ipSec and MSCHAP documentation and I've checked multiple times.

    Here's the pfsense host log too which seems to indicate that it's working but then drops:

    Jan 23 12:05:34
    charon

    02[JOB] <con1|28>deleting half open IKE_SA after timeout
    Jan 23 12:05:06
    charon

    02[NET] <con1|28>sending packet: from 50.233.196.210[4500] to 10.100.0.63[4500] (1712 bytes)
    Jan 23 12:05:06
    charon

    02[IKE] <con1|28>received retransmit of request with ID 1, retransmitting response
    Jan 23 12:05:06
    charon

    02[ENC] <con1|28>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jan 23 12:05:06
    charon

    02[NET] <con1|28>received packet: from 10.100.0.63[4500] to 50.233.196.210[4500] (1328 bytes)
    Jan 23 12:05:05
    charon

    02[NET] <con1|28>sending packet: from 50.233.196.210[4500] to 10.100.0.63[4500] (1712 bytes)
    Jan 23 12:05:05
    charon

    02[IKE] <con1|28>received retransmit of request with ID 1, retransmitting response
    Jan 23 12:05:05
    charon

    02[ENC] <con1|28>parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Jan 23 12:05:05
    charon

    02[NET] <con1|28>received packet: from 10.100.0.63[4500] to 50.233.196.210[4500] (1328 bytes)

    Thanks!</con1|28></con1|28></con1|28></con1|28></con1|28></con1|28></con1|28></con1|28></con1|28>



  • Hi all please try my mentioned Settings here -> https://forum.pfsense.org/index.php?topic=124394.0

    I also created a german step-by-step guide with the help of the pfSense wiki (on my KB).
    I hope the admins consider to update the wiki soon, I will do it if they let me :P



  • Mine too was fixed with the next insider build and Windows 10 in-built client is working. However, we have a problem with the client losing connection after a period of time. Are you also seeing this? I reported it in a separate thread here.

    https://forum.pfsense.org/index.php?topic=124939.0



  • Sorted it out myself. If anybody else has this issue, make sure you haven't got 'PFS key group' set to anything else but 'off' - through troubleshooting issues with it not working with latest Insider Release of Windows 10, it got switched on. Doh!



  • Hi

    I've followed the docs and have an IPSEC VPN setup. It seems to be working fine from my phone & Windows 10 PC.
    Under Phase 2 I've set the Local Subnet to OPT2. Does that restrict clients to that interface ?

    Does someone need to know the username, password and have the crt to be able to connect ?

    Thanks



  • Thank you. That is really helpful

    Regards RW



  • It is working even with CARP IP exactly with these  settings: IKE aes 256 sha256 dh2; ESP aes auto sha1 sha256 pfs off and so on
    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
    But remember about adding CARP WAN IP in certificates as common name, and in Alternative Name and add it also as ip - the second alternative option.
    In Phase 1 IP Address (not distinguished name) with CARP IP WAN.
    If you have not two routers with carp connection, then use your normal, not virtual ip.
    I can connect with native clients from Win8 and Win10 even behind a pfsense router or through mobile phone Internet.
    I attached two screencasts for prove.






  • See this posting for a new updated IKEv2 EAP-MSCHAP document that works with BOTH Windows 10 AND OSX.

    https://forum.pfsense.org/index.php?topic=127457.0

    It combines some of the stuff in this thread in one place. Hope it helps.


Log in to reply