IKEv2 MSCHAPv2 and Windows 10 client - not traffic goes through

lbndev

Hello,

I followed the instructions on this page : https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 to set up my PFSense 2.2.5 and Windows 10 client.
The connection establishes, but my workstation can't access any remote host.

My setup is as follows :
  - PFSense with 3 NICs (WAN - public IP with NAT enabled, LAN 192.168.1.0/24, DMZ 192.168.50.0/24)
  - Windows 10 workstation on my home network (192.168.0.0/24 - I ensured it would not overlap with any of the networks behind the pfsense), NATed to my ISP-provided public IP

My goal is to access my DMZ servers from my Windows box.
I should be able to ping and connect to internal DMZ servers (notably 192.168.50.10).
No success so far.

I followed the wiki page as closely as I could. Notable customizations are :
  - Mobile clients : "Provide a virtual IP address to clients" : 192.168.70.0/24
  - Mobile clients : "Provide a list of accessible networks to clients" : checked, or not checked, I tried both, seems to make no difference.
  - Phase 1 : "Select the appropriate CA for My Certificate Authority" ==> there is no such field on the screen
  - Phase 2 : "Set Local Network as desired, e.g. LAN subnet" ==> Tried that, then tried "DMZ subnet", then tried "Network" + 0.0.0.0/0 : seems to make no difference either.

I do have "allow any" rule in the Firewall's IPSec tab..
I even deleted and re-created the whole configuration twice, to make sure I didn't forget something.

Whatever config I try, my Windows routing table never gets different from :
0.0.0.0          0.0.0.0    192.168.0.254    192.168.0.16    20
[pfsense_public_ip]  255.255.255.255    192.168.0.254    192.168.0.16    21
192.168.0.0    255.255.255.0        On-link      192.168.0.16    276
192.168.0.16  255.255.255.255        On-link      192.168.0.16    276
192.168.0.255  255.255.255.255        On-link      192.168.0.16    276
192.168.70.0    255.255.255.0        On-link      192.168.70.1    21
192.168.70.1  255.255.255.255        On-link      192.168.70.1    276
192.168.70.255  255.255.255.255        On-link      192.168.70.1    276
(127., 224. and broadcast entries omitted for brievety)

I tried to manually add a route :
  route add 192.168.50.0 mask 255.255.255.0 0.0.0.0 IF 37 METRIC 21
which adds the following :
  192.168.50.0    255.255.255.0        On-link      192.168.70.1    41
But I'm still unable to ping and connect to my DMZ servers :(

Any idea how I could further track down and solve the problem ?

Thank you

Hazin

Hi,

I have very similar issue as well.
Win 10, IPsec with EAP-MSCHAPv2. PFsense 2.2.5-RELEASE.
WAN IP= 83.x.x.x
LAN IP= 172.23.95.72
VPN Client IP range = 172.25.167.0/24

My Home client is Natted behind ISP router and IP is in 192.168.69.0/24 subnet.

On Mobile clients, I try with Enabled and Disabled "Provide a list of accessible networks to clients" - same effect on both.
I tried with different "Local Network" on Phase 2 settings - 0.0.0.0/0, LAN network, manual network.

I have routes to specific subnets added in System -> Routings

All routes my clients gets after connection is:

Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0    192.168.69.1    192.168.69.10    10
    83.x.x.x  255.255.255.255    192.168.69.1    192.168.69.10    11
      172.25.0.0      255.255.0.0        On-link      172.25.167.1    11
    172.25.167.1  255.255.255.255        On-link      172.25.167.1    266
  172.25.255.255  255.255.255.255        On-link      172.25.167.1    266

I want to set 2 possible scenario: whole traffic routed via IPsec, or Specific networks only. Neither the case, and/or settings like a fella above, seems to "push routes" to client.
Is there any advice to what to do, or how to deal with it?

pinoyboy

These settings works for MAC OS X (from El Capitan and 2 versions back at least) and Windows 7-10

:)

pinoyboy

And importantly…add firewall rules...