Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 successfully connects but doesn't route traffic through tunnel

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      Raisonbran648
      last edited by

      Hello, I followed the IKEv2 with EAP-MSCHAPv2 guide and have successfully connected to the vpn.
      The problem is I'm unable to ping or access local machines, and when I try to route all traffic my public IP is still unchanged. It seems no traffic is being routed through the tunnel.

      On phase 2 I set Local Network to:
      Type: Network
      Address: 0.0.0.0 / 0

      On my machine I am getting a virtual address from the virtual address pool.
      I tried disabling the windows software firewalls on both the remote and local machine and neither can ping each other.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Check the client settings. There is an option in the client that tells it whether or not to send all traffic across the tunnel. The server side can't control that with IKEv2, it's all up to the client.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R Offline
          Raisonbran648
          last edited by

          Thank you. I was only looking at settings on pfsense and never questioned the client. I solved the issue and will explain below specifically for windows clients what the problem was.

          Windows 10 now defaults VPN connections with Split Tunneling set to true. Split tunneling selectively only routes traffic that matches your leased address over the tunnel, while routing all your other traffic out your local machines gateway. I believe that IKEv2 requires virtual addressing pool, which has to be on a separate subnet. So the default client settings will never successfully route any traffic except to other remote VPN clients.

          So IKEv2 on windows without custom settings will never function. There are a few solutions.
          1. Disable split networking and route all traffic through the remote gateway. (Be sure on Phase 2 to set Local Network to 0.0.0.0 / 0 to route all traffic)
          2. Keep split networking enabled, and add a custom route rule on the client to force traffic desired for the remote's lan traffic to use your VPN interface. (route add command)

          Windows 10 has broken the conventional UI menus to change the VPN settings under the VPN network adapter's networking tab. The old checkbox was "Use default gateway on remote network", which was previously enabled by default. This checkbox when enabled is the same as split tunneling set to false.

          The workaround is to use a powershell command to configure your VPN. In powershell you can list your VPN connections with the command: Get-VpnConnection
          With the name of the VPN connection you can disable split tunneling with the following command: Set-VpnConnection -name "connectionName" -SplitTunneling $False

          I'm surprised with how poorly VPN's are implemented on many devices.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.