0

From our team's experience so far, we have found out that if you want to connect to an IPSec VPN it does not automatically advertise the route to the client and it has to be done manually in the client.

Is this a bug, missing configuration or a feature? (in terms that automated routing configuration could be a security issue so it's normal to do that manually).

The vendor which uses StrongSwan for a VPR (virtual private router) has told us that the VPR would not advertise the route. I am trying to understand how much is that relatable to StrongSwan itself.

Used clients: * Windows 10 Pro * Ubuntu Linux 18.04.3 LTS

Without a routing entry like the following you can't communicate to a virtual machine behind the VPN. As this entry is doe, things work fine.

route add 10.225.24.0/24 172.26.96.1

Where:

  • 172.26.96.1 is the ppp0's gateway (client IP is here for example 172.26.96.2)
  • 10.225.24.0/24 is the private network we want connect to
J. Doe
  • 179
  • 1
  • 8
  • What routes are you referring to? Split-tunneling? And what kind of clients (Windows/Android/Apple...)? – ecdsa Mar 02 '20 at 14:34
  • @ecdsa thank you - does this additional information help? – J. Doe Mar 02 '20 at 16:58
  • What traffic selectors (IKEv2) are negotiated? (You should see that with Linux clients.) With Windows there are definitely some issues with split-tunneling etc. (you can find information on that on the [strongSwan wiki](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling-with-IKEv2)). – ecdsa Mar 03 '20 at 09:12
  • will check thx. seems like in any case Win users need to set routes? what if that's forbidden by org policy? – J. Doe Mar 03 '20 at 09:48
  • 1
    I think it depends on the traffic selectors and the virtual IPs plus some client settings. But for split-tunneling (in particular for IPv6) it might be necessary to use the [Add-VpnConnectionRoute](https://docs.microsoft.com/en-us/powershell/module/vpnclient/Add-VpnConnectionRoute) PowerShell cmdlet so the necessary routes are installed automatically. – ecdsa Mar 03 '20 at 10:50

0 Answers0