IPSec route only some traffic through tunnel

  • Hi,
    I have remote access mobile VPN setup using IKEv2. It is fully working if I have local subnet configured as under my phase 2 configuration.

    How can I configure the tunnel so that only traffic to a certain (public) IP address, say a.b.c.d, is routed through the VPN, and all other traffic are routed straight to the (internet) hosts?

    Thanks, Jacob

  • LAYER 8 Netgate

    Firewall rules on the IPsec tab. Only pass traffic sourced from the mobile clients to the addresses you desire.

  • Hi,
    That works in a way - I can limit the traffic so that only traffic to specified hosts/networks are allowed. However, the VPN client doesn't seem to get that information - it still tries to route all data through the VPN.

    I have the option "Provide a list of accessible networks to clients" enabled.

    In the logs I get:
    "10[IKE] <con-mobile|238> CHILD_SA con-mobile{201} established with SPIs c69b5a96_i 0aae60c1_o and TS|/0 ===|/0"

    Is there anything more I need to configure for the clients to be aware of what data to send through the VPN?

    Thanks, Jacob

  • LAYER 8 Netgate

    Whatever traffic the client tries to route through it is up to the client.

    You are telling it to route all traffic through the tunnel with Try limiting that in scope if you want split-tunnelling.

    If it's Windows, maybe some powershell will get you where you want to be.

  • Ah, split tunnelling what was I was looking for! Thank you.

    Unfortunately macOS doesn't seem to respect the destinations it retrieves - it still tries to send all traffic through the VPN. Works on Android.

    This is what the client receives:
    08[IKE] <con-mobile|388> CHILD_SA con-mobile{448} established with SPIs c34ad87b_i 00f6ec12_o and TS|/0|/0 ===|/0

  • LAYER 8 Netgate

    For the Mac, try setting up the VPN using a profile instead of manually. It sometimes behaves differently.

Log in to reply