Ikev2 eap-mschapv2 on multiple interfaces? Possible?



  • pfsense 2.3.2p1, 3 nics.
    The original setup has a wan port to the internet, a lan port, and an unused port. We set up ikev2 with eap-mschapv2 per these docs:

    https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    It works great, no problems (road warriors on the internet connecting to our wan port for vpn using ikev2).

    Now we want to also allow vpn access into the lan network from select users on a completely separate network (a different department within our building that we do not control). I assumed we could just plug the unused (3rd) nic into their network (they did give us a static IP in their network, but will not do any routing or other changes for us), generate a second server certificate with a CN of the IP of the new (previously unused) interface, and set up a tunnel (phase 1 and 2) that reference that cert. Then users on that network could just create a client ikev2 connection to our ip in that network… and have access to our stuff as well.

    But when I go to set up the new (second) phase 1 tunnel, the only 2 authentication choices I have are mutual RSA and mutual PSK. I no longer have the EAP-MSCHAPv2 option. If I go back and look at the first tunnel p1 (the working one on our wan port... EAP-MSCHAPv2 is certainly in the pulldown (and is of course selected)). So I guess what I'm trying to do just isn't possible (ie. ikev2 on two different outside ports)?

    Any thoughts appreciated!

    J



  • Hello,

    Thread necromancer here with the same question.

    I have successfully followed this guide: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html#Create_Client_Pre-Shared_Keys, and have had an IKEv2 P1 setup for years.

    I have a segmented network and allowing LAN access to loop back to the WAN interface was creating odd exceptions that allow a LAN user to have access to services that would be blocked by normal WAN rules, so I explicitly block LAN to WAN_address from a floating rule.

    I now want to allow IKEv2 from LAN into secure segments but I can only bind my P1 to one interface. No worries. I got to setup a second P1 on accessible interface and run into the same thing as the OP. I presented with a 'remote gateway address' option and no EAP options. It's as if pfSense is presuming any additional P1 are always going to be a client as a oppose to the already created server.

    I may be thinking about this wrong, any help appreciated.


Log in to reply