IPSec route only some traffic through tunnel



  • Hi,
    I have remote access mobile VPN setup using IKEv2. It is fully working if I have local subnet configured as 0.0.0.0/0 under my phase 2 configuration.

    How can I configure the tunnel so that only traffic to a certain (public) IP address, say a.b.c.d, is routed through the VPN, and all other traffic are routed straight to the (internet) hosts?

    Thanks, Jacob


  • LAYER 8 Netgate

    Firewall rules on the IPsec tab. Only pass traffic sourced from the mobile clients to the addresses you desire.



  • Hi,
    That works in a way - I can limit the traffic so that only traffic to specified hosts/networks are allowed. However, the VPN client doesn't seem to get that information - it still tries to route all data through the VPN.

    I have the option "Provide a list of accessible networks to clients" enabled.

    In the logs I get:
    "10[IKE] <con-mobile|238> CHILD_SA con-mobile{201} established with SPIs c69b5a96_i 0aae60c1_o and TS 0.0.0.0/0|/0 === 172.22.44.1/32|/0"

    Is there anything more I need to configure for the clients to be aware of what data to send through the VPN?

    Thanks, Jacob


  • LAYER 8 Netgate

    Whatever traffic the client tries to route through it is up to the client.

    You are telling it to route all traffic through the tunnel with 0.0.0.0/0. Try limiting that in scope if you want split-tunnelling.

    If it's Windows, maybe some powershell will get you where you want to be.



  • Ah, split tunnelling what was I was looking for! Thank you.

    Unfortunately macOS doesn't seem to respect the destinations it retrieves - it still tries to send all traffic through the VPN. Works on Android.

    This is what the client receives:
    08[IKE] <con-mobile|388> CHILD_SA con-mobile{448} established with SPIs c34ad87b_i 00f6ec12_o and TS 1.1.1.1/32|/0 52.16.214.60/32|/0 === 172.22.44.1/32|/0


  • LAYER 8 Netgate

    For the Mac, try setting up the VPN using a profile instead of manually. It sometimes behaves differently.


Log in to reply