Strange VPN issue with Windows 11 / pfSense

So I have a strange VPN issue going on that I was just troubleshooting for an hour and basically got nowhere… VPN host is pfSense, client is the built in Windows client. Windows 10 machines work, the one and only Windows 11 box doesn’t.

VPN connects fine, ping, tracert, all that stuff looks great. But web browsing, shared folders, etc., don’t work - all of those requests just timeout. No idea why, or where to even look. I tried flushing dns, uninstalling wan miniport drivers for the vpn connections, added a new vpn connection, all the low hanging fruit basically.

The only thing that changed was the newest pfSense update disabled an insecure protocol that the vpn was using, so I updated the connection to use a higher level of security, and ran a powershell script on all of the clients to update their existing VPN connection. Not sure if it’s a windows 10 vs 11 issue or not, but all the Windows 10 clients work fine.

Happy to provide more info, but this one has me stumped. Open to any thoughts, thanks.

Why don’t you try the OpenVPN client OpenVPN Connect - Client Software For Windows | OpenVPN I see that there are two available versions for 10 and one for 11.

I’d say there is probably some setting that needs to be enabled for 11 that doesn’t for 10.

Ok, stupid question - OpenVPN would require me setting up a whole new VPN on pfSense, and not use the existing IPSec one, right? Or could I use the OpenVPN client to connect to the existing IPSec VPN? Long story short, it’s a regulated company, strict change control policies, etc., so it’s unfortunately not as simple as just installing software and trying it.

Like you said, I’m guessing there’s some extra setting, or something that’s hosing it up though. I was just hoping someone might already know from experience. It’s almost acting like there’s a firewall in place that’s blocking all traffic except ICMP to the vpn.

I’m going to research some more over the weekend, but if I end up not being able to solve it, maybe moving to OpenVPN might be a better alternative.

Ah ok you are using IPsec I assumed it was OpenVPN.

If you have just upgrade to the latest version of pfSense then have a look at the release notes for some changes, I don’t use IPsec but there may have been some changes on the ciphers or encryptions between versions.

Small detail…:slight_smile: yes, it’s IPsec. So that’s the funny thing - there were changes. pfSense phased out some of the deprecated ones (and really this forced the connection to get upgraded, so not necessarily a bad thing). I updated the encryption and cipher settings on the pfSense side to what’s in this screenshot:

I then ran this script on all of the clients that use the VPN - and for all but this one workstation, it worked with no problem:

Set-VpnConnectionIPsecConfiguration -ConnectionName $connectionName -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force

I’d suggest scanning the netgate forums, on the one hand if there is a fault then loads of people would be screaming on the other it feels like a config issue related to win11 that others have probably encountered.

Well, that might be the best suggestion yet. Not sure why I didn’t think about that first.

Are you with NordVPN by any chance?

No, it’s being used by employees to connect to their office network.

I have encountered this severally. I had to remove all the WAN-Port Adapters from the Device Manager. Then refresh for them to be picked again.

Yeah, that was one of the first things I tried. Unfortunately it didn’t work.