Virtual Address Pool in Pre-Shared Keys is not used for IPSec

flobernd

Re: Virtual Address Pool in Pre-Shared Keys is not used for ipsec

Hey there,

I'm currently facing the same problem like in the linked thread:
I configured an IKEv2 IPSec VPN and set static IPs for individual clients in the pre-shared keys section.

Everything works perfectly fine on iOS devices, but Windows ignores the static IP override from the Pre-Shared Key.

I as well tested with RADIUS and this indeed works. The question is: why does it work with RADIUS? Shouldn't that be the same MsChapv2 stuff with just RADIUS as the authentication backend?

I would be fine using RADIUS but for some reason this breaks my split-DNS config for (only!) the iOS clients.

Can somebody please give me some hints what I might do wrong?

Best,
Florian

keyser

@flobernd Did you find a way to solve this issue. As far as I can tell devs are saying its a Windows VPN client issue with not using the correct identifier in the Connection.

Any input here would be great as this is a huge problem because I cannot create individual rules pr. user (I dont know their IP).

flobernd

@keyser Not a real solution, sadly. You are right about the wrong identifier. Sadly there is no way to workaround that issue :-/ As well it was pretty annoying to configure the correct algorithms for the connection on Windows (only available through PowerShell).

I switched to OpenVPN and never looked back. Everything was much easier to configure and it worked on the first try on all my devices (Windows and iOS).

keyser

@flobernd said in Virtual Address Pool in Pre-Shared Keys is not used for IPSec:

@keyser Not a real solution, sadly. You are right about the wrong identifier. Sadly there is no way to workaround that issue :-/ As well it was pretty annoying to configure the correct algorithms for the connection on Windows (only available through PowerShell).

I switched to OpenVPN and never looked back. Everything was much easier to configure and it worked on the first try on all my devices (Windows and iOS).

I suspected that would be the answer. I am not a fan of OpenVPN even though it works great. All the work/hassle of deploying VPN agents and maintaining them on the different OSes is just too cumbersome. The GREAT feature of IPSEC Mobile warrior is that the Built-in OS VPN agent just works (well almost - looking at you Windows…..)

I really hope some work could be done in the pfSense IPSEC engine to adapt to identifying Windows VPN clients correctly.

flobernd

@keyser You are right. I would have loved to use IPSec as well over OpenVPN. Sadly, from what I investigated, the issue is on the Microsoft side and there is no way to workaround that on the pfSense side.

keyser

@flobernd said in Virtual Address Pool in Pre-Shared Keys is not used for IPSec:

@keyser You are right. I would have loved to use IPSec as well over OpenVPN. Sadly, from what I investigated, the issue is on the Microsoft side and there is no way to workaround that on the pfSense side.

Yeah, i know its because MS’s client does not identify itself correctly, but obviously a workaround could be made in the pfSense IPSEC demon - it’s merely a matter of “translating” the identification it sends before looking for additional client settings to apply. We know which client it is so it could be done “easily”.

The pressing question however is: Do we want to? Is it prudent to adapt to particular clients follies and idiosyncracies?
Mostly the answer is no, but with MS being the largest client group out there it becomes a problem for pfSense. PfSense will be left in the dust over other VPN solutions because it does not play well with Windows…….

keyser

@keyser To expand on that:

In my opinion pfSense could very quickly become a VERY VERY large IPSEC mobile VPN market share owner, if:

1: its engine was adapted to allow for pr. User/group firewall rules - either completely which is unlikely and VERY complicated, or simply by having multiple virtual pools to assign different clients to (Each pool has its own firewall rules).
2: An add-on bonus would be multiple instances of the IPSEC engine in pfSense - each one on its own unique interface IP.

The sad part is - neither of those two are very complicated to support. Strongswan already has the full support for multiple IP pools referenced by name (from say Radius or preshared config), but - There is just no drive towards it because everybody thinks: ahh, well, I’ll go with OpenVPN then….

The added bonus for Enterprises if they could just use the built-in VPN client is…. HUGE! Two powershell commands or a simple group policy and you have all the features you need - including raising the VPN automatically and/or before logon.

keyser

@keyser Just bumping this thread out of Interest.

Does anyone know if making IPsec Road warrior “usable” in larger corporations is actually on the roadmap from Netgate, or will it just be stranded at “one pool, one ruleset for all VPN users” going forward?

The Framed-IP-Address is not a solution in larger networks due to the massive maintenance issues it brings.