Windows 10 1703 Native VPN Client Failing



  • All,

    Apologies as I am far from a security guru, but I'm posting here requesting some direction to documentation or insight from the experts.

    I am running pfSense 2.3.4-RELEASE.  My VPN is setup per the instructions at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    I have two computers - both running Windows 10 1703.  Both computers were running Windows 10 1607 where I had successfully setup the native Windows VPN client per the instructions at https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2.  I had done the upgrade from 1607 to 1703 in-place and the VPN client continued to connect without any issue.

    I recently did a clean wipe of one of the machines, but after the clean wipe following the same instructions to setup the VPN does NOT successfully route traffic across the VPN.  When this did work on 1607 (and on 1703 before the clean wipe), the mouse over of the connection icon when connected to the VPN would say for the VPN connection "Internet Access" and the adapter would say "No Internet Access"…that is now not happening when connected to the VPN the adapter to says "Internet Access" and the VPN connection says "No Internet Access".

    Question:  did 1703 break some sort of routing that I need to manually reapply via PowerShell or otherwise?

    Any other suggestions?

    Thanks.

    James


  • Rebel Alliance Developer Netgate

    Do you have the connection set to route everything over the tunnel? If not, then you may have made some other changes locally on that client via powershell that you need to redo. The firewall can't control routing with IKEv2, it's all up to the client.



  • jimp,

    I have the checkbox selected in the Advanced TCP/IP Settings on the VPN connection to "Use default gateway on remote network" and I also applied the following PowerShell to disable split tunneling:
        set-vpnconnection -Name "VPN NAME" -SplitTunneling $false

    However, my http and RDP traffic is still not routing across the VPN….and mouseover on the network connection icon in the Windows status bar shows that my WiFi connection as "Internet access" but my VPN connection as "No Internet access".

    I have confirmed yet again that the VPN is working fine on my other Windows 10 machine where the VPN connection was initially setup under 1607 and then upgraded to 1703, but the machine where i did a clean wipe on 1703 is having this issue.

    Any other thoughts out there on how to get all of my Internet traffic to route across the VPN?

    Thanks

    James


  • Rebel Alliance Developer Netgate

    It has to be something not set right on the client yet. Check what the routing table shows ("route print" from a cmd prompt) when connected.



  • Had same Problem:

    PfSense 2.3.4 and lot of Clients which running Win10 (1607). Connect via Open VPN or via TheGreenBow IPsec works without problems.

    Then Client Updates Win10 (1703) killed all. No possible VPN Connection.

    Changed HDD and Restored Veeam Backup on Test Client to Win10 (1607) - VPN works successful

    After HDD replace to old one with Win10 (1703) - no possible VPN Connection.

    Workaround that solved my Problem:

    Deaktivate on Win10 (1703) Clients the following Services:

    IKE- and AuthIP Ipsec Keymodule, IP-Helpservice, IP-sec Rule Agent

    after reboot all VPN Connections working successful



  • @Bengatzu:

    Had same Problem:

    PfSense 2.3.4 and lot of Clients which running Win10 (1607). Connect via Open VPN or via TheGreenBow IPsec works without problems.

    Then Client Updates Win10 (1703) killed all. No possible VPN Connection.

    Changed HDD and Restored Veeam Backup on Test Client to Win10 (1607) - VPN works successful

    After HDD replace to old one with Win10 (1703) - no possible VPN Connection.

    Workaround that solved my Problem:

    Deaktivate on Win10 (1703) Clients the following Services:

    IKE- and AuthIP Ipsec Keymodule, IP-Helpservice, IP-sec Rule Agent

    after reboot all VPN Connections working successful

    This worked…although all I did was disable the "IP Helper" service by setting to "Manual" Startup Type.  My VPN would not connect unless the "IKE and AuthIP IPSec Keying Modules" were set to Automatic and I did not have an "IP-sec Rule Agent" Service.

    Thanks so much for the help!


Log in to reply