IKEv2 routing



  • Hi-

    I have setup a pfsense server running on google cloud compute for use in a small business for VPN access. We have everyone setup under IKEv2 on iOS devices, and have successfully setup extremely stable connections(MOBIKE!!!!). This was done following the guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 with some minor tweaks. We have additional servers setup under google cloud that run internal applications, and given our mobile workforce possibly using public wifi or unsecure connections, need to route all traffic via VPN.

    Now the problem… Our staff experiences a significant amount of down-time in the field, and have previously used netflix/hulu at their discretion. With the new netflix vpn block, they are blocking outgoing requests coming from google cloud ip addresses, and when all traffic is routed over ike vpn, netflix/hulu is effectively blocked. Is it possible to not route netflix/hulu traffic over ikev2? If this is not possible, we also have a home office with a sonicwall firewall. Could we establish an additional ikev2 tunnel from pfsense to sonicwall, and route netflix/hulu traffic through the sonicwall, therefore giving it the ip of the home office? Any other solutions or recommendations?

    Thank you!


  • Rebel Alliance Developer Netgate

    That is entirely up to the client side in these cases. If you can configure the client to only send traffic for your far-side VPN subnets across, then it should be closer to what you want. But with IKEv2 in this sort of setup the client makes all those decisions.

    If you only have your server network(s) in the P2 list and have checked "Provide a list of networks…" on the mobile clients tab, clients might respect that and stop sending all traffic over IKEv2, but support varies by client.