OPNsense Forum

English Forums => Virtual private networks => Topic started by: ntkevinshao on July 26, 2022, 05:00:06 am

Title: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: ntkevinshao on July 26, 2022, 05:00:06 am

Dear all :
(1) OPNsense 22.1.10 VMware VM running on PC 1
     NIC 1(LAN) : host only with IP address is static 192.168.1.1 /24
     NIC 2(WAN) : bridged to PC1's Ethernet adapter with DHCP IP 10.0.1.127 /22
     IPsec Mobile Client related setting :
        CA and Certificates were correctly generated
        Backend for Authentication is set to "Local Database"
        Client IP address pool : 10.10.0.0 /24
        IPsec Tunnel Phase 2 Local Network is set to "LAN subnet"
        user correctly configured under Pre-Shared Keys menu with Type "EAP"
     OPNsense Firewall Rules are set to allow all on WAN, LAN and IPsec interface
(2) PC 2(Windows 10) DHCP IP 10.0.1.241 used for IPsec Mobile Client test using Windows 10's built-in VPN client connection

My problems :
1. PC2 using Windows 10 VPN client can successfully login and connect to OPNsense  and get IP address 10.10.0.1 /32, is this normal ? I assume PC2 should get 10.10.0.1 /24
2. PC2 cannot access OPnsense LAN Subnet, ping 192.168.1.1 failed. I checked PC2's route table, there was no route to 192.168.1.0/24 added
     

Title: Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: ntkevinshao on July 26, 2022, 05:21:13 am

My bad, I found out why ? I forgot to check Install Policy in Tunnel Phase 1 Configuration
Now PC2 can ping 192.168.1.1 but cannot ping 8.8.8.8, how can I do split tunneling so only traffic to 192.168.1.0/24 is routed over IPsec tunnel, all other traffic is routed over PC2's existing default gateway ?
Now I check PC2's route table default route 0.0.0.0/0 next hop is set to 10.10.0.1 tunnel interface, this is not what I want. What I want is I should have 192.168.1.0/24 net hop 10.10.0.1 installed in PC2's route table.     

Title: Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: mimugmail on July 26, 2022, 06:07:54 am

Go  into adapter setting and untick to use this connection as default

Title: Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: ntkevinshao on July 26, 2022, 06:36:07 am

adapter setting ? where is it ?

Title: Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: mimugmail on July 26, 2022, 08:28:58 am

https://www.google.com/search?q=windows+10+vpn+default+gateway&client=ms-android-hmd-rev2&prmd=ivn&sxsrf=ALiCzsZ92SXDkOACiayWy7HaeD3ruDOaGw:1658816909292&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjO2__E9pX5AhU4h_0HHYHDBG0Q_AUoAXoECAIQAQ&biw=412&bih=756&dpr=2.63#imgrc=an7bcV3ilEh5pM

Title: Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: ntkevinshao on July 26, 2022, 08:48:11 am

Thanks, it worked. Now my remote win 10 PC VPN connection is up and default gateway is its original default gateway not the IPsec tunnel.
But I got another problem, that is my win 10 PC did not learn route to OPNsense LAN subnet via this tunnel interface, did I miss still anything ?

Title: Re: IPsec Mobile Client with EAP-MASCHAPv2 (Windows 10 built-in VPN Client)
Post by: mimugmail on July 26, 2022, 10:01:27 am

https://www.google.com/search?q=windows+10+ikev2+add+routes+on+startup&rlz=1C1CHBF_deDE698DE698&oq=windows+10+ikev2+add+routes+on+startup&aqs=chrome..69i57j0i546l2.10409j0j7&sourceid=chrome&ie=UTF-8