IKEv2 MSCHAPv2 and Windows 10 client - not traffic goes through
lbndev last edited by
I followed the instructions on this page : https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 to set up my PFSense 2.2.5 and Windows 10 client.
The connection establishes, but my workstation can't access any remote host.
My setup is as follows :
- PFSense with 3 NICs (WAN - public IP with NAT enabled, LAN 192.168.1.0/24, DMZ 192.168.50.0/24)
- Windows 10 workstation on my home network (192.168.0.0/24 - I ensured it would not overlap with any of the networks behind the pfsense), NATed to my ISP-provided public IP
My goal is to access my DMZ servers from my Windows box.
I should be able to ping and connect to internal DMZ servers (notably 192.168.50.10).
No success so far.
I followed the wiki page as closely as I could. Notable customizations are :
- Mobile clients : "Provide a virtual IP address to clients" : 192.168.70.0/24
- Mobile clients : "Provide a list of accessible networks to clients" : checked, or not checked, I tried both, seems to make no difference.
- Phase 1 : "Select the appropriate CA for My Certificate Authority" ==> there is no such field on the screen
- Phase 2 : "Set Local Network as desired, e.g. LAN subnet" ==> Tried that, then tried "DMZ subnet", then tried "Network" + 0.0.0.0/0 : seems to make no difference either.
I do have "allow any" rule in the Firewall's IPSec tab..
I even deleted and re-created the whole configuration twice, to make sure I didn't forget something.
Whatever config I try, my Windows routing table never gets different from :
0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.16 20
[pfsense_public_ip] 255.255.255.255 192.168.0.254 192.168.0.16 21
192.168.0.0 255.255.255.0 On-link 192.168.0.16 276
192.168.0.16 255.255.255.255 On-link 192.168.0.16 276
192.168.0.255 255.255.255.255 On-link 192.168.0.16 276
192.168.70.0 255.255.255.0 On-link 192.168.70.1 21
192.168.70.1 255.255.255.255 On-link 192.168.70.1 276
192.168.70.255 255.255.255.255 On-link 192.168.70.1 276
(127., 224. and broadcast entries omitted for brievety)
I tried to manually add a route :
route add 192.168.50.0 mask 255.255.255.0 0.0.0.0 IF 37 METRIC 21
which adds the following :
192.168.50.0 255.255.255.0 On-link 192.168.70.1 41
But I'm still unable to ping and connect to my DMZ servers :(
Any idea how I could further track down and solve the problem ?
Hazin last edited by
I have very similar issue as well.
Win 10, IPsec with EAP-MSCHAPv2. PFsense 2.2.5-RELEASE.
WAN IP= 83.x.x.x
LAN IP= 172.23.95.72
VPN Client IP range = 172.25.167.0/24
My Home client is Natted behind ISP router and IP is in 192.168.69.0/24 subnet.
On Mobile clients, I try with Enabled and Disabled "Provide a list of accessible networks to clients" - same effect on both.
I tried with different "Local Network" on Phase 2 settings - 0.0.0.0/0, LAN network, manual network.
I have routes to specific subnets added in System -> Routings
All routes my clients gets after connection is:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.69.1 192.168.69.10 10
83.x.x.x 255.255.255.255 192.168.69.1 192.168.69.10 11
172.25.0.0 255.255.0.0 On-link 172.25.167.1 11
172.25.167.1 255.255.255.255 On-link 172.25.167.1 266
172.25.255.255 255.255.255.255 On-link 172.25.167.1 266
I want to set 2 possible scenario: whole traffic routed via IPsec, or Specific networks only. Neither the case, and/or settings like a fella above, seems to "push routes" to client.
Is there any advice to what to do, or how to deal with it?
pinoyboy last edited by
These settings works for MAC OS X (from El Capitan and 2 versions back at least) and Windows 7-10
pinoyboy last edited by