Pfsense 2.5.2 - split-tunneling issue using windows clients
-
Hi,
I am trying to configure IKEv2 with split-tunneling on pfSense and to use the Windows client. But when I set "Local Network" in Phase 2 to "LAN subnet" or to any "Network", the Windows client gets only the 10.0.0.0/8 route.
In the Pfsense 2.2.4 - split-tunneling using windows clients - missing route to vpn topic was mentioned:
- Looking over the IPsec daemon documentation it appears what you are after may not be possible in a way that is both usable and desirable. It's a limitation of the Windows VPN client and not pfSense or IKEv2. The Windows client has no mechanism to receive routes/subnets over IKEv2 other than the VPN tunnel network itself. Unfortunately that's how the Windows client has always worked even with PPTP.
But when I configure IKEv2 with split-tunneling, for example, on Mikrotik, the Windows client can get multiples routes. So where is the issue with pfSense or the Windows client? Maybe I do something wrong?
Thanks.
-
I think I found why the Windows client works with Mikrotik. It's from the Mikrotik documentations:
- Here is a list of known limitations by popular client software IKEv2 implementations.
-
- Windows will always ignore networks received by split-include and request policy with destination 0.0.0.0/0 (TSr). When IPsec-SA is generated, Windows requests DHCP option 249 to which RouterOS will respond with configured split-include networks automatically.
Did you think to add this feature to pfSense?
Thanks.
-
@serhiil but what u want to achieve here?
-
@periko I would like to know if it is planned to add route pushing to Windows clients using DHCP option?
Thanks.
