IKEv2 EAP-MSCHAPv2 VPN not working on Windows

VPN
1

Hi,

I have a pfsense vm working as a firewall for my home. I want to set up a simple IKEv2 MSCHAPv2 VPN in order to connect through built-in Windows VPN feature.

I have followed the guide IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 | pfSense Documentation from pfSense documentation, and set up port forwarding of udp 500 and udp 4500 from my router to the firewall.

As a matter of fact, the setup is working with my Android phone and StrongSwan. I import my CA certificate, then after inputting username and password it connects and I can reach my local devices from outside.

However, it doesn’t seem to work on my Windows PCs. I have both Windows 10 and Windows 11, I have imported the CA certificate on local machine as a Trusted root CA, I set the vpn to IKEv2, with username and password. But if I try to connect to the VPN, it won’t work, stating “Policy match error”. Advanced properties of the VPN connection seems OK (MSCHAPv2 is selected, I tried both forced and not forced encryption). Even changing the registry value as stated in the guide hasn’t worked.

I even tried redoing all the steps (new certificates, etc), still nothing.

Am I missing something? The fact that it’s working from Android but not from Windows is buzzing me out.

2

I could be wrong, but I don’t think it will work. There was a security update around the start of the year that won’t allow it for security reasons. Use IPsec Remote Access VPN Example Using IKEv2 with EAP-RADIUS | pfSense Documentation

3

read this:

https://forum.netgate.com/topic/150670/safe-ikev2-configuration-for-pfsense-and-windows-10-and-macos

4

i don’t think this is the case, since I tried also with an older version of Windows 10 with no luck. Plus I don’t have a radius server set up and it might be too complex to mantain

5

thanks, I didn’t know I have to manually set up settings using powershell. It’s crazy that a mobile OS like Android would automatically get it, while you have to manually set up things in Windows. Now that I know the powershell settings, I’m gonna do some tests to check if advanced encryption is capping the bandwith too much (I hope not!), and choosing the best settings for my needs

6

This is working with Windows built-in VPN in case it helps:

https://imgur.com/a/ZIZXhve

7

Assuming you have AES-NI (also IIMB if Plus) enabled on pfSense AES256-GCM would be the fastest most secure choice.

8

thank you, with these settings it worked. Though it won’t work with encryption forced. I then set up my ikev2 configuration using AdriftAtlas’s link and now the connection seems pretty secure. Thanks to both of you!