IKEv2 successfully connects but doesn't route traffic through tunnel

  • Hello, I followed the IKEv2 with EAP-MSCHAPv2 guide and have successfully connected to the vpn.
    The problem is I'm unable to ping or access local machines, and when I try to route all traffic my public IP is still unchanged. It seems no traffic is being routed through the tunnel.

    On phase 2 I set Local Network to:
    Type: Network
    Address: / 0

    On my machine I am getting a virtual address from the virtual address pool.
    I tried disabling the windows software firewalls on both the remote and local machine and neither can ping each other.

  • Rebel Alliance Developer Netgate

    Check the client settings. There is an option in the client that tells it whether or not to send all traffic across the tunnel. The server side can't control that with IKEv2, it's all up to the client.

  • Thank you. I was only looking at settings on pfsense and never questioned the client. I solved the issue and will explain below specifically for windows clients what the problem was.

    Windows 10 now defaults VPN connections with Split Tunneling set to true. Split tunneling selectively only routes traffic that matches your leased address over the tunnel, while routing all your other traffic out your local machines gateway. I believe that IKEv2 requires virtual addressing pool, which has to be on a separate subnet. So the default client settings will never successfully route any traffic except to other remote VPN clients.

    So IKEv2 on windows without custom settings will never function. There are a few solutions.
    1. Disable split networking and route all traffic through the remote gateway. (Be sure on Phase 2 to set Local Network to / 0 to route all traffic)
    2. Keep split networking enabled, and add a custom route rule on the client to force traffic desired for the remote's lan traffic to use your VPN interface. (route add command)

    Windows 10 has broken the conventional UI menus to change the VPN settings under the VPN network adapter's networking tab. The old checkbox was "Use default gateway on remote network", which was previously enabled by default. This checkbox when enabled is the same as split tunneling set to false.

    The workaround is to use a powershell command to configure your VPN. In powershell you can list your VPN connections with the command: Get-VpnConnection
    With the name of the VPN connection you can disable split tunneling with the following command: Set-VpnConnection -name "connectionName" -SplitTunneling $False

    I'm surprised with how poorly VPN's are implemented on many devices.

Log in to reply