0

I have a pfSense router with Ipsec vpn setup using EAP-MSChapV2 per the guide here: pfSense IKEv2 with EAP-MSCHAPv2

Android and iOS clients connect fine, however ironically the Windows 10 client does not.

I have set the client connection under Security to IKEv2, Require encryption, Use Extensible Authenitcation Protocol (EA) and chosen Microsoft; Secured password (EAP-MSCHAP v2) (encrypted) from the list.

When I connect it tries to connect but comes back with an 809 error in the logs.

On the pfSense server I get the following:

Time Process PID Message Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 4a:81:0c:de:f0:c0:90:0f:19:06:42:31:35:a2:a2:8d:d3:44:fd:08 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid d5:2e:13:c1:ab:e3:49:da:e8:b4:95:94:ef:7c:38:43:60:64:66:bd Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 6c:ca:bd:7d:b4:7e:94:a5:75:99:01:b6:a7:df:d4:5d:1c:09:1c:cc Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 42:32:b6:16:fa:04:fd:fe:5d:4b:7a:c3:fd:f7:4c:40:1d:5a:43:af Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid a5:06:8a:78:cf:84:bd:74:32:dd:58:f9:65:eb:3a:55:e7:c7:80:dc Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 6d:aa:9b:09:87:c4:d0:d4:22:ed:40:07:37:4d:19:f1:91:ff:de:d3 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 83:31:7e:62:85:42:53:d6:d7:78:31:90:ec:91:90:56:e9:91:b9:e3 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 7e:95:9f:ed:82:8e:2a:ed:c3:7c:0d:05:46:31:ef:53:97:cd:48:49 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 3e:22:d4:2c:1f:02:44:b8:04:10:65:61:7c:c7:6b:ae:da:87:29:9c Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 21:0f:2c:89:f7:c4:cd:5d:1b:82:5e:38:d6:c6:59:3b:a6:93:75:ae Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 23:4b:71:25:56:13:e1:30:dd:e3:42:69:c9:cc:30:d4:6f:08:41:e0 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid bb:c2:3e:29:0b:b3:28:77:1d:ad:3e:a2:4d:bd:f4:23:bd:06:b0:3d Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid b0:19:89:e7:ef:fb:4a:af:cb:14:8f:58:46:39:76:22:41:50:e1:ba Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 17:4a:b8:2b:5f:fb:05:67:75:27:ad:49:5a:4a:5d:c4:22:cc:ea:4e Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 68:33:0e:61:35:85:21:59:29:83:a3:c8:d2:d2:e1:40:6e:7a:b3:c1 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 9c:a9:8d:00:af:74:0d:dd:81:80:d2:13:45:a5:8b:8f:2e:94:38:d6 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87 Jan 20 16:28:21 charon 07[IKE] <17> received cert request for unknown ca with keyid 3f:4e:08:69:dd:28:07:34:54:85:fe:19:cf:4f:d3:71:86:9a:c0:32 Jan 20 16:28:21 charon 07[IKE] <17> received 46 cert requests for an unknown ca

Right after the selected peer config and then looking for peer configs matching xxx.xxx.xxx.xxx[%any] ... [

Any ideas what is failing?

James Hancock
  • 3,348
  • 5
  • 34
  • 59

1 Answers1

0

This seems to be bug in Windows 10. I am in the exact same boat. Running pfSense 2.3.2 and IKEv2 will not work with Win 10. At the same, with the exact same settings, Win 7 will connect with no problems.

https://social.technet.microsoft.com/Forums/en-US/a77c6ff5-8a8b-465d-bd09-f862a7c6aa13/ikev2-vpn-routing-bugs?forum=win10itpronetworking

Edit:

Interesting, running Set-VpnConnection -Name 'NameOfVpnConnection' -SplitTunneling $false from powershell fixed the VPN on my home win 10 machine, but it didn't work on my work PC. Need to retest that, but there does seem to be workaround at least.

Marko
  • 2,266
  • 4
  • 27
  • 48
  • Turns out that the issue was caused by being behind a second pfsense router. Any other router passed the traffic just fine but pfSense eats it. – James Hancock Feb 14 '17 at 00:37
  • @JamesHancock - if you have a VPN inside a double NAT situation (Internet -> router 1 -> router 2 -> server) then for sure you are going to have problems. Need to create passthrough rules etc. My situation was simpler: Client PC -> random home router -> Internet -> pfSense -> server. The Client PC being Win 10 simply will not work without turning off SplitTunneling via powershell. PS! Got my work machine to work as well with the same workaround. – Marko Feb 14 '17 at 16:56
  • It isn't double NAT. It's user inside pfsense NAT 1 connecting to pfsense VPN that also hosts a NAT 2 but has direct internet connection. – James Hancock Feb 14 '17 at 17:24