Switching to IPsec
-
Hi,
So i guess Im going to switch to IPsec because PPTP have issues when behind pfSense trying to connect to another pfSense the error 619 (GRE issues) But on the Wiki it says "Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, an IKEv2 implementation may be a better fit." How stable is IPsec on 2.2.2?Thank you
-
Generally stable on 2.2.2, but better on 2.2.4 or 2.2.5. IKEv2 is significantly less complicated than dealing with both L2TP and IPsec layers, usually a better choice.
-
Thanks cmb for the reply,
I should follow this https://doc.pfsense.org/index.php/L2TP/IPsec step by step and should be able to get running IPsec smoothly? all i need is to able to ping my windows server and access my shared folders nothing to big
Thank you
-
Better off using https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
-
Hi,
Thanks for the reply and just wondering for Mac and ios would it be possible?Thank you
-
So i wanted to give a shot to IPsec to test it out. And having the error 789 when trying to connect though windows
then i checked the pfSense logs
see pictures
pfSense is the 181.xx.xx.xx and im the 201.xx.xx.xx
Anything i missed?
Thank you
-
EDIT: so i have been trying to get IPsec working but nothing whats funny when im trying to connect from the 201.xx.xx.xx to my pfsense VPN the 181.xx.xx.xx shows that its establish but on the ipsec status but it gives and error on my windows vpn see pictures
-
EDIT: so i have been trying to get IPsec working but nothing whats funny when im trying to connect
Did you follow the suggestion from @cmb and did an upgrade from version 2.2.2 to 2.2.4 or 2.2.5? ;)
-
Hi BlueKobold,
Thanks for the reply well…..cmb did say it was generally stable i was going on a limb that 8/10 would work but not even 1 time I have been able to log on though the VPN so i know im doing something wrong with the configuration.EDIT: so on ios iphone 4s 7.1.2 i am able to connect perfect and ping 8.8.8.8 but cannot navigate while connected to a wifi that has NAT :( but when i tried to connect on windows 8.1 says error on authentication so then I changed the algorithm on phase 1 mobile client to 3DES and DH key group to 2. Then i connected to WIFI that has no NAT and connected and ping 8.8.8.8 perfect but no navigation. Again connected to the wifi that has the NAT gave me some 809 error on the VPN.
So my real question is how come I cannot connect on windows 8.1 behind NAT while on iphone I can very very odd...
Wifi NAT------IOS------VPN connects no navigation but able to ping google
Wifi no NAT------windows 8.1-----VPN connects no navigation but able to ping google
Wifi NAT--------windows 8.1-----VPN does not connect gives me the 809 error
??? ??? ??? ??? ???
-
so just updated to 2.2.4 still nothing same issue so now im trying to to get ikev2 working and on the wiki not very clear on the part
Click "+" to add a new Alternative Name
Enter DNS in the Type fieldis that the DNS of my windows server? which is 192.168.3.253
Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.
is that the WAN IP or the IP of the firewall? I would expect the WAN because it says if clients will connect by IP address place the IP?
Click "+" to add a new Alternative Name
Enter IP in the Type fieldis that the IP of the firewall?
see pics
When i try to save gives me this error
*Also my WAN IP changed so its now the 233.XX.XX.XX
Thank you
-
hummm…. ???
IP should contain "IP" not the IP :-
I mean that what is expected here is the type of alternate name. And this type is IP, letter "I" then letter "P" without space in the middle.
Give a try and let us know.Of course if type is IP, then content should be IP address ;)
-
hey chris, thanks for the reply got the certs working but i followed exactly https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
and nothing :( I get the 619 error on windows 8.1. I see on the logs thats the cert was accepted so i have no idea why its not working :( i tried it behind a NAT and another wifi without no NAT
The part where it says edit pre shared key the username can be something like example@hotmail.com? or does it need to be a real email? because the part where it says
Enter an e-mail address style username, such as user@example.com
because under that type of username it shows as if my domain is hotmail.com when trying to connect to the VPN which I believe that's not
correctSee picture
Thank you
-
@killmasta93
Did you ever thought about to update to version 2.2.5 and then trying out the ShrewSoft VPN Klient?
(Freeware and free of charge) There are also good tutorials out there to configure it right! -
BlueKobold thanks for the reply i would rather use the built in VPN that comes with windows, I was considering openvpn but because i would need to download the client i went to IPsec. I just ended up doing L2TP without IPsec. Im going to wait until its more stable. I could not find the 2.2.5 but as cmb stated it should work on 2.2.4 which is very odd because it shows that the client connects to IPsec but on ios cannot navigate but able to ping google (maybe a dns issue) then on windows cannot connect to L2TP but IPsec shows connected which was behind NAT but without NAT works but cannot navigate, so long story short im not sure how people have it working or they maybe use the shrewsoft vpn client or most of the people use OPENVPN.
Thanks again