IPSec VPN with native windows VPN client



  • Hi
    I recently upgraded a few of my computers to the latest Windows 10 preview build and since the native windows vpn client does not work with pfsense i Windows 7 and Windows 8.x, i asumed that it would be the same with Windows 10, which it is.
    My road warrior configuration is as per this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Normally I would use the Shrew SoftVPN, but this does not work with Windows 10 either. I do not know if their client will get updated to work with Windows 10, but since the native client in OS X is working, I would actually prefer to use the native client in Windows as well.

    Can the configuration be changed to work with the native windows client, without breaking support for OS X and Android or should I create a L2TP connection for windows clients instead?


  • Rebel Alliance Developer Netgate

    At the moment I'd say your best bet is this: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2



  • Take a look at the green bow project.

    http://www.thegreenbow.com/doc/tgbvpn_cg-pfsense-router-en.pdf

    https://forum.pfsense.org/index.php?topic=28638.0

    It seems to be a more actual solution supporting windows 8.1 / 10. shrewsoft doesn't, that's the only main reason i am still using windows 7 at the moment.

    Do not hesitate to post your testings here or on a new thread. there is no "the green bow pfsense road warrior" yet.

    Des someone know if pfsense plan to work itself on a windows vpn client such as cisco have thier own vpn client software for windows?

    that could be a really good idea to implement that feature!



  • I am using the ShrewSoft client on Windows 10 to connect to a Cisco ASA.  Maybe it doesn't work specifically with pfsense, but Shrew itself does seem to work on Windows 10.



  • @jimp:

    At the moment I'd say your best bet is this: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    This works well from the latest Windows 10 clients (Version 10.0.16299 Build 16299), but there is a problem that sneaks in.

    The IPSec connection also add a default route to the windows routing table resulting in 2 0.0.0.0 routes.  This breaks internet access.

    What causes this insertion and how to we stop that from happening?

    Here are the routes:

    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.43.1   192.168.43.218   4280
              0.0.0.0          0.0.0.0         On-link     192.168.120.1     46
    

    thanks!



  • @lifeboy:

    What causes this insertion and how to we stop that from happening?

    Oh, how the sneaky obscure windows settings snag the occasional visitor to it's strange entangled world! :-)

    I thought I found the problem, but no! The Windows client had the "use default gateway on remote network" set in the VPN client (tcp/ip properties | advanced).  Unchecked that and that causes the additional default route insertion to stop, but it also doesn't know how to route any traffic via the VPN.

    So do I have to add a manual route to the IPSec client config?  I will do that for now, but I have a hunch that the IPSec server should somehow tell the client what traffic to route via it, not?



  • Did you ever get a solution to this missing route problem on Windows 8?


Log in to reply