IKEv2 with EAP-MSCHAPv2 connected but no internet access (Resolved)



  • I followed the article https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and I am able to connect windows a Windows 8.1 machine but after I do both the VPN network and my local area connection show no internet.

    I am able to access the remote LAN network but I am not able to access the internet from my local machine.

    Has something changed since this doc was released or am I missing something?

    What if I want to do split tunnel?  I see this but I did not select it.  Is this the only option?

    Set Local Network as desired, e.g. LAN subnet
    To pass all traffic, including Internet traffic, across the VPN, set the Local Network to 0.0.0.0/0

    Update:  So changing to 0.0.0.0/0 allows traffic to go out remote gateway but can be bad esspecially with relation to latency.

    Based on another article I saw the following:

    When you have split tunneling enabled in Windows 10 you can add a VPN connection route for an IPv4 address. The route will only be set when the VPN connection is active (see https://technet.microsoft.com/en-us/library/dn262649.aspx).

    Windows PowerShell Example:
    Add-VpnConnectionRoute -ConnectionName "Contoso" -DestinationPrefix 176.16.0.0/16 -PassThru

    Windows PowerShell Enable Split Tunneling:
    set-vpnconnection Contoso -splittunneling $True

    https://forum.pfsense.org/index.php?topic=101305.10;wap2

    I am assuming that for example the VPN issues an IP of 172.50.50.12 on a 172.50.50.0/24 network to the connected computer so I should add the following command:

    Add-VpnConnectionRoute -ConnectionName "Contoso" -DestinationPrefix 172.50.50.0/24 -PassThru ?



  • Ok so it looks like on windows 10 you must create the VPN via powershell in order for it to work.

    Also you must add the following command

    Add-VpnConnectionRoute -ConnectionName "Name of VPN" -DestinationPrefix x.x.x.x/x -PassThru

    Replace the x.x.x.x/x with the remote subnet you will need to access over the VPN. You will need to run this command for every subnet connected to the pfsense that you want the machine with the VPN to connect to.  This includes the subnet you assigned to the VPN unless you do not care about client s being able to connect to each other.

    Example Powershell:

    Add-VpnConnectionRoute -ConnectionName "Name of VPN" -DestinationPrefix x.x.x.x/x -PassThru

    set-vpnconnection Name of VPN -splittunneling $True

    If you get an error using the set-vpnconnection that the vpn is not in the address book then create the VPN via powershell

    Add-VpnConnection -Name "Name of VPN" -ServerAddress "DNS hostname or IP address"

    and then configure setting in GUI…ie IKEv2, EAP required etc as outlined in the document.  Then enter the 2 commands listed above.

    One thing I am curious about is possibly using the -ServerList command and allowing the client to be able to connecto either the primary location VPN and the backup location.....



  • Had similiar problem (0.0.0.0 route always added) when creating VPN from Windows GUI and PowerShell helped. Thanks.


Log in to reply