Netgate SG-1000 microFirewall

Author Topic: Migrating from pptp to ikev2 - how to use fixed ip  (Read 2117 times)

0 Members and 1 Guest are viewing this topic.

Offline antarex

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Migrating from pptp to ikev2 - how to use fixed ip
« on: September 14, 2016, 10:39:22 am »
Hi,

I was using pptp to give a fixed public ip to some users (pfsense installed on a small VPS with multiple public IP).  Security of the tunnel was not a concern : after the vpn, the trafic go to internet without tunnelling, thus the ease of the solution was much more important than the security...

As the version 2.3 removed the support for pptp (i understand), i try to implement another solution just as easy for the users than pptp, avoiding the installation of any software on the user side, natively compatible with Windows and Android. 

I've thus configured IKEv2, wich work correctly with Windows native VPN client.

But i'm facing two problems...

1. Even if i've defined a Phase 2 Local network 0.0.0.0/0 , the route 0.0.0.0/0 is not automaticaly configured on the client side (Windows 10), only a route 10.0.0.0/8 is defined.  I must manualy add the route 0.0.0.0/0...  did you have any idea why ?
2. I do not know how to define a specific IP address per user...  pfSense/ipsec attribute the IP address from a defined range, but i would like to specify a specific IP of this range for each user...  how can that be achieved ?

Thanks in advance for your help, i know that my questions concern IPSEC, but it's specific to the migration from pptp, with specific features of pptp, i suppose that i should not be the only one migrating from pptp :)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21393
  • Karma: +1432/-26
    • View Profile
Re: Migrating from pptp to ikev2 - how to use fixed ip
« Reply #1 on: September 19, 2016, 10:59:36 am »
1. IKEv2 cannot push routes to the client (Nor could PPTP!), routing decisions are 100% up to the client side. By default, Windows will send everything, but can be configured to only send certain networks using powershell to setup routes. Search around the forum and you'll find some examples.

2. There is no way to define static addresses for IKEv2 clients at the moment.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline antarex

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Migrating from pptp to ikev2 - how to use fixed ip
« Reply #2 on: September 27, 2016, 09:24:15 am »
Thanks for your answer...

Is there another alternative to PPTP and IKEv2 allowing static IP and working with native windows without third client ?  All the purpose of the VPN is to give a fixed IP to the users, even an uncrypted tunnel is acceptable, but it must be easy to configure with a fully vanilla windows... 

I've seen an option to assign a fixed IP via L2TP, but i did not succeed to connect with the VPN client of Windows, i do not know if i've made a wrong configuration or if windows does not support L2TP...

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Migrating from pptp to ikev2 - how to use fixed ip
« Reply #3 on: September 27, 2016, 11:52:51 am »
" All the purpose of the VPN is to give a fixed IP to the users"

Why is fixed IP such a need?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)