Win10 IKEv2 Connects, but No Network Access
-
I am trying to set up a Win10/64 Pro PC for remote access into my pfsense (2.4.4) box. I followed this recipe:
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-client-windows.html
and the Win10 machine's new VPN connect will "connect," but then it has No Network Access, and can't access any of the resources behind the VPN.
The LAN that I want the remote PC to access is 192.168.0.0/24. I'm not sure how to configure the Tunnel:Local Network and the NAT/BINAT settings or the Mobile Client:Virtual Address Pool, but here's how things are set up currently:
(I'm currently inside the building I want to tunnel into, which is why I've disabled the Ethernet adapter, and instead I'm using WiFi through my iPhone's personal hotspot, which effectively puts me outside the building while I'm testing/configuring)
The security and certificate seem to be set up correctly, or else I wouldn't be able to connect and show the IPSec AES 256 encryption, but I must have the tunnel and/or the IP(s) set up incorrectly.
The strange this is that this all was working 2 years ago when we first locked down, but this is a new PC, and I must have changed something on the pfsense side without taking notes
-
@thewaterbug Your settings there are correct, but we need to see the phase1 tunnel settings also.
Also - have you created any firewall rules on the IPSec interface to actually allow traffic to pass from those clients?However - there is a LOT of issues with IKEv2 IPSEC VPN Windows Clients to pfSense 2.4.x
My first advise would be to upgrade your box to 2.6CE - It’s much simpler to get Windows clients working with that build. -
@keyser said in Win10 IKEv2 Connects, but No Network Access:
@thewaterbug Your settings there are correct, but we need to see the phase1 tunnel settings also.
Also - have you created any firewall rules on the IPSec interface to actually allow traffic to pass from those clients?However - there is a LOT of issues with IKEv2 IPSEC VPN Windows Clients to pfSense 2.4.x
My first advise would be to upgrade your box to 2.6CE - It’s much simpler to get Windows clients working with that build.Ah, I'm just seeing this now, after posting my other thread with a similar issues. Is the MBT-2220 compatible with 2.6CE? My Dashboard says "The system is on the latest version" so I wasn't sure if it was safe to upgrade.
Can I upgrade in place? Or do I have to reinstall and restore the config?
-
@thewaterbug said in Win10 IKEv2 Connects, but No Network Access:
@keyser said in Win10 IKEv2 Connects, but No Network Access:
@thewaterbug Your settings there are correct, but we need to see the phase1 tunnel settings also.
Also - have you created any firewall rules on the IPSec interface to actually allow traffic to pass from those clients?However - there is a LOT of issues with IKEv2 IPSEC VPN Windows Clients to pfSense 2.4.x
My first advise would be to upgrade your box to 2.6CE - It’s much simpler to get Windows clients working with that build.Ah, I'm just seeing this now, after posting my other thread with a similar issues. Is the MBT-2220 compatible with 2.6CE? My Dashboard says "The system is on the latest version" so I wasn't sure if it was safe to upgrade.
Can I upgrade in place? Or do I have to reinstall and restore the config?
2.6 should run fine on that box.
While you can upgrade, I would highly recommend a clean reinstall with your config-file stored in a folder named “conf” on your reinstall USB stick. That way you get a clean box, but still with your current configuration (no need to run the setup wizard and what not). -
Thanks! Does putting the config file in the /conf/ folder work for all pfsense installs? It didn't work for me.
I just successfully installed onto another unit, an SG-1100, this firmware:
pfSense-plus-compat-recovery-22.05-RELEASE-aarch64.img.gz
because that's what Netgate sent me for the SG-1100, but the configuration didn't import. Do I have it in the correct place on the USB stick?
It wasn't a big deal on this box, because I'm upgrading and configuring offline. After the installation I imported the config file manually, and it all appeared to be good. Then I'll swap this SG-1100 into the place of an APU box that's running, and if the SG-1100 doesn't work for any reason I can just swap the APU box back into place in 2 minutes.
But my next upgrade from 2.4.4. to 22.05 will be an upgrade-in-place of the MBT-2200 that's the original subject of this thread, and I don't have a spare router to swap into its place if the upgrade goes south.
-
@thewaterbug As far as I know, it should work on all models. But I have experienced the same thing on once. Don’t know what caused it.
If you are not too scared of accessing the shell, it’s very easy to mount and copy a known config file from a USB FAT32 formatted stick on a clean box, and import it.
https://linuxconfig.org/restore-pfsense-configuration-backup-from-console-using-usb-drive
-
@thewaterbug said in Win10 IKEv2 Connects, but No Network Access:
Thanks! Does putting the config file in the /conf/ folder work for all pfsense installs? It didn't work for me.
My problem may have been that I didn't rename the config file. I just put it in there with its full filename, e.g.:
config-hostname.domain.tld-20221007121918.xml
After doing some reading, I renamed it as just config.xml. I didn't know whether to put it at the root or at /conf/, so I put it in both, and it worked this time.