Pre-shared Keys, IPSec and Windows



  • I've just crossed the last hurtle in a three day effort to set up pfSense, IPSec, and Windows 10 native IPSec.

    The last issue I ran into was that I kept getting a Windows Security dialog saying my user name or password is incorrect.

    The issue was that I used the pfSense user dialog to set up a "IPsec Pre-Shared Key". This apparently creates key type of PSK (at least according to IPSec/Pre-Shared Keys. According to https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html, I need to set up a Secret Type of EAP.

    In the end, I had to set up a separate EAP pre-shared key with the users email address and password. This is going to be interesting to maintain logistically.

    Questions:
    Is there a requirement that EAP use "either an IP address, fully qualified domain name or an e-mail address"?
    Why is it a requirement that we use EAP vs PSK keys. Is this due to using EAP-MSChapv2?
    Can the User dialog be changed to create either a EAP or PSK key?


Log in to reply