IKEv2 VPN for Windows 10 and OSX - HOW-TO!
-
Hello guys!
I can connect to the IKEv2 IPSec VPN and ping both WAN and LAN NIC from my pfsense but I cannot ping other hosts in the remote LAN
Thanks!
Hi all,
Is there anyone, who could help me? How to start debugging what's wrong in my config?
Thank you,
Peter
-
sorry to reopen this, but following the same config for windows 10 I was able to set dh20 via powershelll but I get a odd certificate issue:
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received cert request for unknown ca with keyid xx:xx:xx..
Aug 24 22:12:29 charon 08[IKE] <2> received 41 cert requests for an unknown caThe ca is installed to the trusted store and this works fine on OSX with the same ca :/
I was using the IP for remote connection and unlike OSX you can't set the Address and the actual remote identifier so I change to use a public dns name set in cloudflare and created a new server certificate , updated the OSX profile which still works, but in windows I get the same exact issue.
Unfortuntly I didn't find much help on google (other then it being related to the CN/subject names, but that should be a issue if using the FQDN name to connect and use that as CN/add dns and IP to alt subject names.
Any ideas?
-
Actually I was focusing on that cause I didn't see this in the OSX successful connection, but there also:
24 22:12:29 charon 08[CFG] <2> looking for peer configs matching 192.x.x.x[%any]....x.x.x.x.[172.16xx.x] Aug 24 22:12:29 charon 08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike) Aug 24 22:12:29 charon 08[CFG] <2> candidate "con-mobile", match: 1/1/1052 (me/other/ike) Aug 24 22:12:29 charon 08[CFG] <2> ignore candidate 'con-mobile' without matching IKE proposal Aug 24 22:12:29 charon 08[CFG] <bypasslan|2> selected peer config 'bypasslan' Aug 24 22:12:29 charon 08[IKE] <bypasslan|2> peer requested EAP, config unacceptable Aug 24 22:12:29 charon 08[CFG] <bypasslan|2> no alternative config found -
I could finally connect my windows 10 pro, but results are:
Windows 10 Good.
Windows 8, good no need to add the route command, but once the vpn connect, all the traffic goes over the vpn, I still checking this.
Windows 7 no luck, trying different settings.
Android strongswan no luck yet
Ubuntu strongwan no luck yetThanks for the tutorial.
-
I have followed this guide and i can connect to my pfsense vpn server with my Windows 10 client, but i cant connect my Android phone. Is there any way to make it work with Android too?
-
Thanks so much for this. I'm new to pfsense and was ripping my hair out on the wiki how to page "https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html" not working. Nothing but auth errors on my windows 10 machine. Changing to your settings had it connect right away.
-
I have been using this and the original document link today. I was wondering if any of the hardcore pfsense guys might consider expanding it to cover LANs segmented with VLANs?
I'm attempting to get a remote access VPN lab up with departmental VLANs on the inside and cannot figure out how I need to alter the steps for this scenario. I've tried setting the local network to a specific VLAN and also to 0.0.0.0 but I can't get a ping working from client to any of the VLANs.
Another thread here asks about how to do this but has had no response. The poster tried adding multiple P2 entries but I can't see anything in the docs that says this is the right thing to do. I'm going to try that anyway but was wondering if anyone who knows for sure would consider expending these helpful links.
UPDATE
My issue was because I didn't get it that the Windows 10 VPN client defaults to split tunnelling and also does not populate routes to other segments. Forum post here. Probably obvious to most others but updating this comment now I get it in case not. -
@helviojr said in IKEv2 VPN for Windows 10 and OSX - HOW-TO!:
I guess i have to add default route for servers subnet? but what is my gw then, because there is no IPV4 address of IKEv2 under connection details.
I didn't test IKEv2 yet (still on L2TP with IKEv1), but it seem you can create route using device, instead of gateway IP:
- use ipconfig to get the name of each device (you probably can get those form GUI also);
- use route print to get the number of each interface, and get the one of your VPN device (the table at the begining of "route print" command output);
- create the route using "IF" option instead of the gateway address:
route ADD 10.10.10.0 MASK 255.255.255.0 IF 10 -p
(this would create a route to subnet 10.10.10.0/24 through interface number 10)Sometimes I prefer the Powershell command:
Add-VpnConnectionRoute -ConnectionName "[vpn_connection_name]" -DestinationPrefix [network]/[Prefix]so for example it becomes:
Add-VpnConnectionRoute -ConnectionName "[vpn_connection_name]" -DestinationPrefix 10.10.10.0/24I use this because connection name is simple to recognize even for people with no technical skills.
