IKEv2 MSCHAPv2 and Windows 10 client - not traffic goes through



  • Hello,

    I followed the instructions on this page : https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 to set up my PFSense 2.2.5 and Windows 10 client.
    The connection establishes, but my workstation can't access any remote host.

    My setup is as follows :
      - PFSense with 3 NICs (WAN - public IP with NAT enabled, LAN 192.168.1.0/24, DMZ 192.168.50.0/24)
      - Windows 10 workstation on my home network (192.168.0.0/24 - I ensured it would not overlap with any of the networks behind the pfsense), NATed to my ISP-provided public IP

    My goal is to access my DMZ servers from my Windows box.
    I should be able to ping and connect to internal DMZ servers (notably 192.168.50.10).
    No success so far.

    I followed the wiki page as closely as I could. Notable customizations are :
      - Mobile clients : "Provide a virtual IP address to clients" : 192.168.70.0/24
      - Mobile clients : "Provide a list of accessible networks to clients" : checked, or not checked, I tried both, seems to make no difference.
      - Phase 1 : "Select the appropriate CA for My Certificate Authority" ==> there is no such field on the screen
      - Phase 2 : "Set Local Network as desired, e.g. LAN subnet" ==> Tried that, then tried "DMZ subnet", then tried "Network" + 0.0.0.0/0 : seems to make no difference either.

    I do have "allow any" rule in the Firewall's IPSec tab..
    I even deleted and re-created the whole configuration twice, to make sure I didn't forget something.

    Whatever config I try, my Windows routing table never gets different from :
    0.0.0.0          0.0.0.0    192.168.0.254    192.168.0.16    20
    [pfsense_public_ip]  255.255.255.255    192.168.0.254    192.168.0.16    21
    192.168.0.0    255.255.255.0        On-link      192.168.0.16    276
    192.168.0.16  255.255.255.255        On-link      192.168.0.16    276
    192.168.0.255  255.255.255.255        On-link      192.168.0.16    276
    192.168.70.0    255.255.255.0        On-link      192.168.70.1    21
    192.168.70.1  255.255.255.255        On-link      192.168.70.1    276
    192.168.70.255  255.255.255.255        On-link      192.168.70.1    276
    (127., 224. and broadcast entries omitted for brievety)

    I tried to manually add a route :
      route add 192.168.50.0 mask 255.255.255.0 0.0.0.0 IF 37 METRIC 21
    which adds the following :
      192.168.50.0    255.255.255.0        On-link      192.168.70.1    41
    But I'm still unable to ping and connect to my DMZ servers :(

    Any idea how I could further track down and solve the problem ?

    Thank you



  • Hi,

    I have very similar issue as well.
    Win 10, IPsec with EAP-MSCHAPv2. PFsense 2.2.5-RELEASE.
    WAN IP= 83.x.x.x
    LAN IP= 172.23.95.72
    VPN Client IP range = 172.25.167.0/24

    My Home client is Natted behind ISP router and IP is in 192.168.69.0/24 subnet.

    On Mobile clients, I try with Enabled and Disabled "Provide a list of accessible networks to clients" - same effect on both.
    I tried with different "Local Network" on Phase 2 settings - 0.0.0.0/0, LAN network, manual network.

    I have routes to specific subnets added in System -> Routings

    All routes my clients gets after connection is:

    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0    192.168.69.1    192.168.69.10    10
        83.x.x.x  255.255.255.255    192.168.69.1    192.168.69.10    11
          172.25.0.0      255.255.0.0        On-link      172.25.167.1    11
        172.25.167.1  255.255.255.255        On-link      172.25.167.1    266
      172.25.255.255  255.255.255.255        On-link      172.25.167.1    266

    I want to set 2 possible scenario: whole traffic routed via IPsec, or Specific networks only. Neither the case, and/or settings like a fella above, seems to "push routes" to client.
    Is there any advice to what to do, or how to deal with it?



  • These settings works for MAC OS X (from El Capitan and 2 versions back at least) and Windows 7-10

    :)



  • And importantly…add firewall rules...


Log in to reply