4

I have setup Strongswan on Ubuntu 14.04 from the official package. I use IKEv2 with PKI authentication and a custom authorization plugin. This works great for Android and Ubuntu clients using strongswan but not when using the Native Windows 7/8 IKEv2 client.(Machine certificates authentication). I connect to the VPN server just fine, but on the Status tab for the vpn interface it shows this:

http://i.stack.imgur.com/qHJEh.png

and as you can guess I can't access anything as I have broken routing.

I have censored the IP details, Client IPv4 is correctly an IP assigned from the strongswan pool at the VPN subnet. (it's no-NAT, all addresses are public routable except the origin address which is behind my home NAT router)

MemCtrl
  • 118
  • 2
  • 10
  • Are you worrying about the "Server IPv4 address 0.0.0.0" line? Or those red marked IP addresses? – ecdsa Jul 01 '14 at 09:04
  • the 0.0.0.0 address :P – MemCtrl Jul 01 '14 at 09:27
  • That 0.0.0.0 address is always like that for IKEv2 connections. But the red marked IP addresses actually look like they are from the same subnet, which might be an issue. – ecdsa Jul 01 '14 at 10:02
  • Android clients with strongswan app and linux clients using strongswan can connect and have correct routing behavior. – MemCtrl Jul 01 '14 at 10:28
  • As far as I could determine the censored addresses, they are from the same subnet. It might throw the Windows client off that the VPN gateway's public address and the client's **internal** tunnel IP are in the same subnet. Do you use [split tunneling](http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling)? Have you disabled the _"Use default gateway on remote network"_ option in the _"Advanced TCP/IP"_ settings of the VPN connection? – ecdsa Jul 01 '14 at 15:39
  • Just to clarify, I use fake-arp so the client gets a public routable IPv4, no NAT takes place. – MemCtrl Jul 02 '14 at 08:55

1 Answers1

1

SOLVED:

You should specify 0.0.0.0/0 for rightsubnet for windows config, the Windows IPsec client isn't "smart enough" to handle split tunneling.

MemCtrl
  • 118
  • 2
  • 10
  • That's incorrect. You can split tunnel with the windows client. In fact, I'm doing it right now. – Ritch Melton Mar 07 '16 at 22:20
  • Really? What I have always resolved to do for all our remote windows workers is not "use gateway on remote network" and just insert the needed routes via the "route" command from a command prompt. – MemCtrl May 23 '16 at 19:31
  • Yes. That's split tunneling. The Windows IKEv2 client doesn't take route pushdown (something the mac client does handle), but it'll split tunnel. Adding routing works better with the powershell command `Add-VpnConnectionRoute` and `Add-VpnConnectionTriggerTrustedNetwork` for on-demand DNS dialing. – Ritch Melton May 23 '16 at 21:39