Results 1 to 10 of 10
  1. #1
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,327

    Default windows 10 client to IKEv2 on untangle

    With some fiddling about, I did manage to make a functioning IKEv2 connection from Windows 10 to untangle... one seemingly secret hurdle was to install the intermediate SSL certificate into the local machine certificate store; until then I'd get the error "13801: IKE authentication credentials are unacceptable."

    I do have a question though:

    After the connection established, there was no route added to reach the remote network; windows has no clue what remote network I'm trying to reach, and there appears to be no mechanism for Untangle to tell it.

    I manually added the route:

    route add 192.168.27.0 mask 255.255.255.0 198.19.0.0

    That worked, I can now access the remote network.

    Is there a better way? Some better VPN client to use than what's built in to Windows? (don't say "just use OpenVPN, it's easier" - I have specific reason for not using OpenVPN)

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    The built in VPN client doesn't have anything to do with routes... You can enable the remote gateway tick box, but it's an all or nothing grab. That's primarily why I use OpenVPN because the client is VASTLY more intelligent.

    If you need a Windows VPN that can be more readily controlled without 3rd party software, the solution you want is called SSTP and it runs on TCP 443 on an IIS instance somewhere.

    But in short no, IPSec support on Win10 requires client side scripting to maintain routing. Been that way since Win2k... yay.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,327

    Default

    ok, thanks for confirming what found...

    For my own use, having to add the route manually is fine; I can make it a persistent route as long as I'm working at home. I need to maintain a constant VPN connection to my primary site while also being able to make as-needed connections to other sites with OpenVPN.

    There was a customer who might need to do the same and I wasn't looking forward to walking him through the manual setup and connection, but he's now reported for his limited use he doesn't mind disconnecting one OpenVPN and connecting a different one when needed.
    Jim.Alles likes this.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Oh, I haven't done this on Windows...

    But... the limitation of the OpenVPN client only connecting to a single VPN at a time is because the install process only creates a single TAP adapter, if you add more you can support multiple simultaneous tunnels. As long as you don't have an IP conflict.

    The scripts to add and remove the tap drivers for Windows are here: C:\Program Files\TAP-Windows\bin
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

    Default

    Quote Originally Posted by sky-knight View Post
    Oh, I haven't done this on Windows...

    But... the limitation of the OpenVPN client only connecting to a single VPN at a time is because the install process only creates a single TAP adapter, if you add more you can support multiple simultaneous tunnels. As long as you don't have an IP conflict.

    The scripts to add and remove the tap drivers for Windows are here: C:\Program Files\TAP-Windows\bin
    meh. for me, it would just confuse my brain, a nightmare to troubleshoot, and I don't even want to assess the risk. It might be nice for a personal experiment (entertainment purposes). But I am not THAT bored.
    If you think I got Grumpy

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Not much in the way of risks, and if it works the way it did the last time I did this you just have click connect on the appropriate slide out for each site, and the same for the disconnects.

    The OpenVPN client software cannot route. So I don't see any risk in the situation that's any more present than a normal connection event.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,947

    Default

    I had IPSec L2TP to Untangle working from Windows 10... able to move small files, RDP sessions. But it tended to cause Untangle's linux kernel to hard reset if I copied a file larger than 20Mb or so. Since that broke everyone I had to turn it all off.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  8. #8
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,327

    Default

    Quote Originally Posted by sky-knight View Post
    Oh, I haven't done this on Windows...

    But... the limitation of the OpenVPN client only connecting to a single VPN at a time is because the install process only creates a single TAP adapter, if you add more you can support multiple simultaneous tunnels. As long as you don't have an IP conflict.

    The scripts to add and remove the tap drivers for Windows are here: C:\Program Files\TAP-Windows\bin
    yes, i figured it would be possible to do multiple openvpn connections as well... but since I hadn't done client-to-site IPSEC before, I figured that was the thing to learn how to do.
    thanks for the pointer to the tap adapter installer.

  9. #9
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,327

    Default

    btw, I found creating a persistent route doesn't work with IPSEC. once the tunnel goes down and then comes back, the persistent route is still listed as a persistent route but not as an active route and no traffic passes; I have to delete the route and add it back to get traffic flowing again.
    I can of course put a quick script on the desktop to delete the route and put it back, but yeah, cumbersome. Maybe I won't take for granted all the nice things OpenVPN does for us.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Honestly... Microsoft should be ashamed with how garbage the built in VPN client is...

    Of course this applies to everyone else that makes operating systems too... because they are all really bad.

    The company that upsets me the most is Cisco... they have a TERRIFIC 3rd party client, but they don't use it on Meraki. Which given the extortion payments... is inexcusable.

    But yeah, OpenVPN's client has its warts because upgrading the entire fleet when you make a config change is a giant pain, but it does just work most of the time. And you can push configs from the server pretty well.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2