IKEv2 MSCHAPv2 and Windows 10 client - not traffic goes through
I followed the instructions on this page : https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 to set up my PFSense 2.2.5 and Windows 10 client.
The connection establishes, but my workstation can't access any remote host.
My setup is as follows :
- PFSense with 3 NICs (WAN - public IP with NAT enabled, LAN 192.168.1.0/24, DMZ 192.168.50.0/24)
- Windows 10 workstation on my home network (192.168.0.0/24 - I ensured it would not overlap with any of the networks behind the pfsense), NATed to my ISP-provided public IP
My goal is to access my DMZ servers from my Windows box.
I should be able to ping and connect to internal DMZ servers (notably 192.168.50.10).
No success so far.
I followed the wiki page as closely as I could. Notable customizations are :
- Mobile clients : "Provide a virtual IP address to clients" : 192.168.70.0/24
- Mobile clients : "Provide a list of accessible networks to clients" : checked, or not checked, I tried both, seems to make no difference.
- Phase 1 : "Select the appropriate CA for My Certificate Authority" ==> there is no such field on the screen
- Phase 2 : "Set Local Network as desired, e.g. LAN subnet" ==> Tried that, then tried "DMZ subnet", then tried "Network" + 0.0.0.0/0 : seems to make no difference either.
I do have "allow any" rule in the Firewall's IPSec tab..
I even deleted and re-created the whole configuration twice, to make sure I didn't forget something.
Whatever config I try, my Windows routing table never gets different from :
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.16 20
[pfsense_public_ip] 255.255.255.255 192.168.0.254 192.168.0.16 21
192.168.0.0 255.255.255.0 On-link 192.168.0.16 276
192.168.0.16 255.255.255.255 On-link 192.168.0.16 276
192.168.0.255 255.255.255.255 On-link 192.168.0.16 276
192.168.70.0 255.255.255.0 On-link 192.168.70.1 21
192.168.70.1 255.255.255.255 On-link 192.168.70.1 276
192.168.70.255 255.255.255.255 On-link 192.168.70.1 276
(127., 224. and broadcast entries omitted for brievety)
I tried to manually add a route :
route add 192.168.50.0 mask 255.255.255.0 0.0.0.0 IF 37 METRIC 21
which adds the following :
192.168.50.0 255.255.255.0 On-link 192.168.70.1 41
But I'm still unable to ping and connect to my DMZ servers :(
Any idea how I could further track down and solve the problem ?
I have very similar issue as well.
Win 10, IPsec with EAP-MSCHAPv2. PFsense 2.2.5-RELEASE.
WAN IP= 83.x.x.x
LAN IP= 172.23.95.72
VPN Client IP range = 172.25.167.0/24
My Home client is Natted behind ISP router and IP is in 192.168.69.0/24 subnet.
On Mobile clients, I try with Enabled and Disabled "Provide a list of accessible networks to clients" - same effect on both.
I tried with different "Local Network" on Phase 2 settings - 0.0.0.0/0, LAN network, manual network.
I have routes to specific subnets added in System -> Routings
All routes my clients gets after connection is:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.69.1 192.168.69.10 10
83.x.x.x 255.255.255.255 192.168.69.1 192.168.69.10 11
172.25.0.0 255.255.0.0 On-link 172.25.167.1 11
172.25.167.1 255.255.255.255 On-link 172.25.167.1 266
172.25.255.255 255.255.255.255 On-link 172.25.167.1 266
I want to set 2 possible scenario: whole traffic routed via IPsec, or Specific networks only. Neither the case, and/or settings like a fella above, seems to "push routes" to client.
Is there any advice to what to do, or how to deal with it?
These settings works for MAC OS X (from El Capitan and 2 versions back at least) and Windows 7-10