Ikev2 eap-mschapv2 on multiple interfaces? Possible?



  • pfsense 2.3.2p1, 3 nics.
    The original setup has a wan port to the internet, a lan port, and an unused port. We set up ikev2 with eap-mschapv2 per these docs:

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    It works great, no problems (road warriors on the internet connecting to our wan port for vpn using ikev2).

    Now we want to also allow vpn access into the lan network from select users on a completely separate network (a different department within our building that we do not control). I assumed we could just plug the unused (3rd) nic into their network (they did give us a static IP in their network, but will not do any routing or other changes for us), generate a second server certificate with a CN of the IP of the new (previously unused) interface, and set up a tunnel (phase 1 and 2) that reference that cert. Then users on that network could just create a client ikev2 connection to our ip in that network… and have access to our stuff as well.

    But when I go to set up the new (second) phase 1 tunnel, the only 2 authentication choices I have are mutual RSA and mutual PSK. I no longer have the EAP-MSCHAPv2 option. If I go back and look at the first tunnel p1 (the working one on our wan port... EAP-MSCHAPv2 is certainly in the pulldown (and is of course selected)). So I guess what I'm trying to do just isn't possible (ie. ikev2 on two different outside ports)?

    Any thoughts appreciated!

    J


Log in to reply