Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Switching to IPsec

    Scheduled Pinned Locked Moved IPsec
    14 Posts 4 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by

      Hi,
      So i guess Im going to switch to IPsec because PPTP have issues when behind pfSense trying to connect to another pfSense the error 619 (GRE issues) But on the Wiki it says "Users have reported issues with Windows L2TP/IPsec clients behind NAT. If the clients will be behind NAT, an IKEv2 implementation may be a better fit." How stable is IPsec on 2.2.2?

      Thank you

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Generally stable on 2.2.2, but better on 2.2.4 or 2.2.5. IKEv2 is significantly less complicated than dealing with both L2TP and IPsec layers, usually a better choice.

        1 Reply Last reply Reply Quote 0
        • K
          killmasta93
          last edited by

          Thanks cmb for the reply,

          I should follow this https://doc.pfsense.org/index.php/L2TP/IPsec step by step and should be able to get running IPsec smoothly? all i need is to able to ping my windows server and access my shared folders nothing to big

          Thank you

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Better off using https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

            1 Reply Last reply Reply Quote 0
            • K
              killmasta93
              last edited by

              Hi,
              Thanks for the reply and just wondering for Mac and ios would it be possible?

              Thank you

              Tutorials:

              https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

              1 Reply Last reply Reply Quote 0
              • K
                killmasta93
                last edited by

                So i wanted to give a shot to IPsec to test it out. And having the error 789 when trying to connect though windows

                then i checked the pfSense logs

                see pictures

                pfSense is the 181.xx.xx.xx and im the 201.xx.xx.xx

                Anything i missed?

                Thank you

                Clipboarder.2015.10.09-006.png
                Clipboarder.2015.10.09-006.png_thumb
                Clipboarder.2015.10.09-007.png
                Clipboarder.2015.10.09-007.png_thumb

                Tutorials:

                https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                1 Reply Last reply Reply Quote 0
                • K
                  killmasta93
                  last edited by

                  EDIT: so i have been trying to get IPsec working but nothing whats funny when im trying to connect from the 201.xx.xx.xx to my pfsense VPN the 181.xx.xx.xx shows that its establish but on the ipsec status but it gives and error on my windows vpn see pictures

                  Clipboarder.2015.10.09-014.png
                  Clipboarder.2015.10.09-014.png_thumb
                  Clipboarder.2015.10.09-015.png
                  Clipboarder.2015.10.09-015.png_thumb
                  Clipboarder.2015.10.09-016.png
                  Clipboarder.2015.10.09-016.png_thumb
                  Clipboarder.2015.10.09-017.png
                  Clipboarder.2015.10.09-017.png_thumb
                  Clipboarder.2015.10.09-018.png
                  Clipboarder.2015.10.09-018.png_thumb
                  Clipboarder.2015.10.09-019.png
                  Clipboarder.2015.10.09-019.png_thumb
                  Clipboarder.2015.10.09-020.png
                  Clipboarder.2015.10.09-020.png_thumb
                  Clipboarder.2015.10.09-021.png
                  Clipboarder.2015.10.09-021.png_thumb
                  Clipboarder.2015.10.09-022.png
                  Clipboarder.2015.10.09-022.png_thumb
                  Clipboarder.2015.10.09-023.png
                  Clipboarder.2015.10.09-023.png_thumb

                  Tutorials:

                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    EDIT: so i have been trying to get IPsec working but nothing whats funny when im trying to connect

                    Did you follow the suggestion from @cmb and did an upgrade from version 2.2.2 to 2.2.4 or 2.2.5?  ;)

                    1 Reply Last reply Reply Quote 0
                    • K
                      killmasta93
                      last edited by

                      Hi BlueKobold,
                      Thanks for the reply well…..cmb did say it was generally stable i was going on a limb that 8/10 would work but not even 1 time I have been able to log on though the VPN so i know im doing something wrong with the configuration.

                      EDIT: so  on ios iphone 4s 7.1.2 i am able to connect perfect and ping 8.8.8.8 but cannot navigate while connected to a wifi that has NAT :( but when i tried to connect on windows 8.1 says error on authentication so then I changed the algorithm on phase 1 mobile client to 3DES and DH key group to 2. Then i connected to  WIFI that has no NAT and connected and ping 8.8.8.8 perfect but no navigation. Again connected to the wifi that has the NAT gave me some  809 error on the VPN.

                      So my real question is how come I cannot connect on windows 8.1 behind NAT while on iphone I can very very odd...

                      Wifi NAT------IOS------VPN connects no navigation but able to ping google

                      Wifi no NAT------windows 8.1-----VPN connects no navigation  but able to ping google

                      Wifi NAT--------windows 8.1-----VPN does not connect gives me the 809 error

                      ??? ??? ??? ??? ???

                      Tutorials:

                      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                      1 Reply Last reply Reply Quote 0
                      • K
                        killmasta93
                        last edited by

                        so just updated to 2.2.4 still nothing same issue so now im trying to to get ikev2 working and on the wiki not very clear on the part

                        Click "+" to add a new Alternative Name
                        Enter DNS in the Type field

                        is that the DNS of my windows server? which is 192.168.3.253

                        Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.

                        is that the WAN IP or the IP of the firewall? I would expect the WAN because it says if clients will connect by IP address place the IP?

                        Click "+" to add a new Alternative Name
                        Enter IP in the Type field

                        is that the IP of the firewall?

                        see pics

                        When i try to save gives me this error

                        *Also my WAN IP changed so its now the 233.XX.XX.XX

                        Thank you

                        Clipboarder.2015.10.10-023.png_thumb
                        Clipboarder.2015.10.10-024.png
                        Clipboarder.2015.10.10-024.png_thumb
                        Clipboarder.2015.10.10-023.png

                        Tutorials:

                        https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                        1 Reply Last reply Reply Quote 0
                        • C
                          chris4916
                          last edited by

                          hummm….  ???

                          IP should contain "IP" not the IP  :-
                          I mean that what is expected here is the type of alternate name. And this type is IP, letter "I" then letter "P" without space in the middle.
                          Give a try and let us know.

                          Of course if type is IP, then content should be IP address  ;)

                          Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                          1 Reply Last reply Reply Quote 0
                          • K
                            killmasta93
                            last edited by

                            hey chris, thanks for the reply got the certs working but i followed exactly https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

                            and nothing :( I get the 619 error on windows 8.1. I see on the logs thats the cert was accepted so i have no idea why its not working :( i tried it behind a NAT and another wifi without no NAT

                            The part where it says edit pre shared key the username can be something like example@hotmail.com? or does it need to be a real email? because the part where it says

                            Enter an e-mail address style username, such as user@example.com

                            because under that type of username it shows as if my domain is hotmail.com when trying to connect to the VPN which I believe that's not
                            correct

                            See picture

                            Thank you

                            Clipboarder.2015.10.11-006.png
                            Clipboarder.2015.10.11-006.png_thumb
                            Clipboarder.2015.10.11-002.png
                            Clipboarder.2015.10.11-002.png_thumb
                            Clipboarder.2015.10.11.png
                            Clipboarder.2015.10.11.png_thumb
                            Clipboarder.2015.10.11-003.png
                            Clipboarder.2015.10.11-003.png_thumb
                            Clipboarder.2015.10.11-004.png
                            Clipboarder.2015.10.11-004.png_thumb
                            Clipboarder.2015.10.11-008.png
                            Clipboarder.2015.10.11-008.png_thumb
                            Clipboarder.2015.10.11-009.png
                            Clipboarder.2015.10.11-009.png_thumb

                            Tutorials:

                            https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                            1 Reply Last reply Reply Quote 0
                            • ?
                              Guest
                              last edited by

                              @killmasta93
                              Did you ever thought about to update to version 2.2.5 and then trying out the ShrewSoft VPN Klient?
                              (Freeware and free of charge) There are also good tutorials out there to configure it right!

                              ShrewSoftVPN Client
                              ShrewSoftVPN HowTo pfSense

                              1 Reply Last reply Reply Quote 0
                              • K
                                killmasta93
                                last edited by

                                BlueKobold thanks for the reply i would rather use the built in VPN that comes with windows, I was considering openvpn but because i would need to download the client i went to IPsec. I just ended up doing L2TP without IPsec. Im going to wait until its more stable. I could not find the 2.2.5 but as cmb stated it should work on 2.2.4 which is very odd because it shows that the client connects to IPsec but on ios cannot navigate but able to ping google (maybe a dns issue) then on windows cannot connect to L2TP but IPsec shows connected which was behind NAT but without NAT works but cannot navigate, so long story short im not sure how people have it working or they maybe use the shrewsoft vpn client or most of the people use OPENVPN.

                                Thanks again

                                Tutorials:

                                https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.