windows 10 client to IKEv2 on untangle

[johnsonx42]

With some fiddling about, I did manage to make a functioning IKEv2 connection from Windows 10 to untangle... one seemingly secret hurdle was to install the intermediate SSL certificate into the local machine certificate store; until then I'd get the error "13801: IKE authentication credentials are unacceptable."

I do have a question though:

After the connection established, there was no route added to reach the remote network; windows has no clue what remote network I'm trying to reach, and there appears to be no mechanism for Untangle to tell it.

I manually added the route:

route add 192.168.27.0 mask 255.255.255.0 198.19.0.0

That worked, I can now access the remote network.

Is there a better way? Some better VPN client to use than what's built in to Windows? (don't say "just use OpenVPN, it's easier" - I have specific reason for not using OpenVPN)

[sky-knight]

The built in VPN client doesn't have anything to do with routes... You can enable the remote gateway tick box, but it's an all or nothing grab. That's primarily why I use OpenVPN because the client is VASTLY more intelligent.

If you need a Windows VPN that can be more readily controlled without 3rd party software, the solution you want is called SSTP and it runs on TCP 443 on an IIS instance somewhere.

But in short no, IPSec support on Win10 requires client side scripting to maintain routing. Been that way since Win2k... yay.

[johnsonx42]

ok, thanks for confirming what found...

For my own use, having to add the route manually is fine; I can make it a persistent route as long as I'm working at home. I need to maintain a constant VPN connection to my primary site while also being able to make as-needed connections to other sites with OpenVPN.

There was a customer who might need to do the same and I wasn't looking forward to walking him through the manual setup and connection, but he's now reported for his limited use he doesn't mind disconnecting one OpenVPN and connecting a different one when needed.

[sky-knight]

Oh, I haven't done this on Windows...

But... the limitation of the OpenVPN client only connecting to a single VPN at a time is because the install process only creates a single TAP adapter, if you add more you can support multiple simultaneous tunnels. As long as you don't have an IP conflict.

The scripts to add and remove the tap drivers for Windows are here: C:\Program Files\TAP-Windows\bin

[Jim.Alles]

Oh, I haven't done this on Windows...

But... the limitation of the OpenVPN client only connecting to a single VPN at a time is because the install process only creates a single TAP adapter, if you add more you can support multiple simultaneous tunnels. As long as you don't have an IP conflict.

The scripts to add and remove the tap drivers for Windows are here: C:\Program Files\TAP-Windows\bin

meh. for me, it would just confuse my brain, a nightmare to troubleshoot, and I don't even want to assess the risk. It might be nice for a personal experiment (entertainment purposes). But I am not THAT bored.

[sky-knight]

Not much in the way of risks, and if it works the way it did the last time I did this you just have click connect on the appropriate slide out for each site, and the same for the disconnects.

The OpenVPN client software cannot route. So I don't see any risk in the situation that's any more present than a normal connection event.

[jcoehoorn]

I had IPSec L2TP to Untangle working from Windows 10... able to move small files, RDP sessions. But it tended to cause Untangle's linux kernel to hard reset if I copied a file larger than 20Mb or so. Since that broke everyone I had to turn it all off.

[johnsonx42]

Oh, I haven't done this on Windows...

But... the limitation of the OpenVPN client only connecting to a single VPN at a time is because the install process only creates a single TAP adapter, if you add more you can support multiple simultaneous tunnels. As long as you don't have an IP conflict.

The scripts to add and remove the tap drivers for Windows are here: C:\Program Files\TAP-Windows\bin

yes, i figured it would be possible to do multiple openvpn connections as well... but since I hadn't done client-to-site IPSEC before, I figured that was the thing to learn how to do.
thanks for the pointer to the tap adapter installer.

[johnsonx42]

btw, I found creating a persistent route doesn't work with IPSEC. once the tunnel goes down and then comes back, the persistent route is still listed as a persistent route but not as an active route and no traffic passes; I have to delete the route and add it back to get traffic flowing again.
I can of course put a quick script on the desktop to delete the route and put it back, but yeah, cumbersome. Maybe I won't take for granted all the nice things OpenVPN does for us.

[sky-knight]

Honestly... Microsoft should be ashamed with how garbage the built in VPN client is...

Of course this applies to everyone else that makes operating systems too... because they are all really bad.

The company that upsets me the most is Cisco... they have a TERRIFIC 3rd party client, but they don't use it on Meraki. Which given the extortion payments... is inexcusable.

But yeah, OpenVPN's client has its warts because upgrading the entire fleet when you make a config change is a giant pain, but it does just work most of the time. And you can push configs from the server pretty well.