Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 VPN with windows 10 client can access linux machines but not windows machines in Active Directory

    IPsec
    3
    6
    607
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aznarepse
      last edited by aznarepse

      pfsense is configured in the network to provide routing and load balancing between two WANs and the LAN.
      I am also trying to configure it as VPN (and retire the RRAS server).
      I have followed the guides:
      https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
      and
      https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ikev2-with-eap-radius.html
      and can open a tunnel and the client in windows 10 connects and holds the connection solidly.

      The network Authentication and Authorization is managed by an Active Directory domain controller with NPS, which also provides the DHCP services and DNS services.
      The windows 10 client can resolve well DNS in the WAN but not LAN and can also ping and access servers running Linux in the LAN. However, I cannot access any windows OS server using any protocol (apart from the DNS server, which is given in the IP configuration).
      When the client connects, the DNS and WINS servers are configured correctly to the IP of the windows server, as configured in pfsense.
      The user is authenticated properly and is given full access to the network; as shown in the events of the DC:
      "Network Policy Server granted full access to a user because the host met the defined health policy."
      ...
      Client Machine:
      Security ID: NULL SID
      Account Name: -
      Fully Qualified Account Name: -
      OS-Version: -
      Called Station Identifier: 192.168.2.10[4500]
      Calling Station Identifier: 148.252.129.32[30311]

      NAS:
      NAS IPv4 Address: 192.168.2.10
      NAS IPv6 Address: -
      NAS Identifier: strongSwan
      NAS Port-Type: Virtual
      NAS Port: 1

      RADIUS Client:
      Client Friendly Name: pfSenseVPN
      Client IP Address: 192.168.1.1

      Authentication Details:
      Connection Request Policy Name: Use Windows authentication for all users
      Network Policy Name: Connections to other access servers
      ...

      There must be something very obvious that I am missing?

      I keep banging my head against this wall and am running out of ideas....
      The version of pfsense is 2.4.5-RELEASE-p1 (amd64)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If they can reach anything at all, it's unlikely to be a problem on the clients or the firewall. First thing I'd check is the local network config/firewall on the windows systems. They may be configured to block any traffic inbound from other private subnets.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • A
          aznarepse
          last edited by

          Good point. RRAS provided IPs from the main LAN subnet. I'll give it a go.

          1 Reply Last reply Reply Quote 0
          • A
            aznarepse
            last edited by

            @jimp Bingo! Thank you so much. I was blind to this....

            J 1 Reply Last reply Reply Quote 0
            • J
              jgraham5481 @aznarepse
              last edited by

              @aznarepse
              I’m just curious how with pfsense running the vpn, how you got nps to be the dhcp server?

              1 Reply Last reply Reply Quote 0
              • A
                aznarepse
                last edited by aznarepse

                @jgraham5481 I did not explain myself properly with my writing. I can see how it could read that way. The domain controller has a NPC and also a DHCP and DNS services running. NPC provides the Radius server and the policies for authentication and authorization.
                pfsense is managing routing between the WAN and LAN and it is assigned as the Gateway by the DHCP server (hosted in the DC) for all the devices in the LAN that use dynamic IP. When a client joins the VPN, it does in a different subnetwork with IP range assigned by pfsense. The latter does the routing between the VPN subnet and the LAN subnet for the VPN clients.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.