IKEv2 MSCHAPv2 and Windows 10 client - not traffic goes through

  • Hello,

    I followed the instructions on this page : https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 to set up my PFSense 2.2.5 and Windows 10 client.
    The connection establishes, but my workstation can't access any remote host.

    My setup is as follows :
      - PFSense with 3 NICs (WAN - public IP with NAT enabled, LAN, DMZ
      - Windows 10 workstation on my home network ( - I ensured it would not overlap with any of the networks behind the pfsense), NATed to my ISP-provided public IP

    My goal is to access my DMZ servers from my Windows box.
    I should be able to ping and connect to internal DMZ servers (notably
    No success so far.

    I followed the wiki page as closely as I could. Notable customizations are :
      - Mobile clients : "Provide a virtual IP address to clients" :
      - Mobile clients : "Provide a list of accessible networks to clients" : checked, or not checked, I tried both, seems to make no difference.
      - Phase 1 : "Select the appropriate CA for My Certificate Authority" ==> there is no such field on the screen
      - Phase 2 : "Set Local Network as desired, e.g. LAN subnet" ==> Tried that, then tried "DMZ subnet", then tried "Network" + : seems to make no difference either.

    I do have "allow any" rule in the Firewall's IPSec tab..
    I even deleted and re-created the whole configuration twice, to make sure I didn't forget something.

    Whatever config I try, my Windows routing table never gets different from :    20
    [pfsense_public_ip]    21        On-link    276        On-link    276        On-link    276        On-link    21        On-link    276        On-link    276
    (127., 224. and broadcast entries omitted for brievety)

    I tried to manually add a route :
      route add mask IF 37 METRIC 21
    which adds the following :        On-link    41
    But I'm still unable to ping and connect to my DMZ servers :(

    Any idea how I could further track down and solve the problem ?

    Thank you

  • Hi,

    I have very similar issue as well.
    Win 10, IPsec with EAP-MSCHAPv2. PFsense 2.2.5-RELEASE.
    WAN IP= 83.x.x.x
    LAN IP=
    VPN Client IP range =

    My Home client is Natted behind ISP router and IP is in subnet.

    On Mobile clients, I try with Enabled and Disabled "Provide a list of accessible networks to clients" - same effect on both.
    I tried with different "Local Network" on Phase 2 settings -, LAN network, manual network.

    I have routes to specific subnets added in System -> Routings

    All routes my clients gets after connection is:

    Network Destination        Netmask          Gateway      Interface  Metric
        83.x.x.x    11
        On-link    11        On-link    266        On-link    266

    I want to set 2 possible scenario: whole traffic routed via IPsec, or Specific networks only. Neither the case, and/or settings like a fella above, seems to "push routes" to client.
    Is there any advice to what to do, or how to deal with it?

  • These settings works for MAC OS X (from El Capitan and 2 versions back at least) and Windows 7-10


  • And importantly…add firewall rules...

Log in to reply