IPSec route only some traffic through tunnel
-
Hi,
I have remote access mobile VPN setup using IKEv2. It is fully working if I have local subnet configured as 0.0.0.0/0 under my phase 2 configuration.How can I configure the tunnel so that only traffic to a certain (public) IP address, say a.b.c.d, is routed through the VPN, and all other traffic are routed straight to the (internet) hosts?
Thanks, Jacob
-
Firewall rules on the IPsec tab. Only pass traffic sourced from the mobile clients to the addresses you desire.
-
Hi,
That works in a way - I can limit the traffic so that only traffic to specified hosts/networks are allowed. However, the VPN client doesn't seem to get that information - it still tries to route all data through the VPN.I have the option "Provide a list of accessible networks to clients" enabled.
In the logs I get:
"10[IKE] <con-mobile|238> CHILD_SA con-mobile{201} established with SPIs c69b5a96_i 0aae60c1_o and TS 0.0.0.0/0|/0 === 172.22.44.1/32|/0"Is there anything more I need to configure for the clients to be aware of what data to send through the VPN?
Thanks, Jacob
-
Whatever traffic the client tries to route through it is up to the client.
You are telling it to route all traffic through the tunnel with 0.0.0.0/0. Try limiting that in scope if you want split-tunnelling.
If it's Windows, maybe some powershell will get you where you want to be.
-
Ah, split tunnelling what was I was looking for! Thank you.
Unfortunately macOS doesn't seem to respect the destinations it retrieves - it still tries to send all traffic through the VPN. Works on Android.
This is what the client receives:
08[IKE] <con-mobile|388> CHILD_SA con-mobile{448} established with SPIs c34ad87b_i 00f6ec12_o and TS 1.1.1.1/32|/0 52.16.214.60/32|/0 === 172.22.44.1/32|/0 -
For the Mac, try setting up the VPN using a profile instead of manually. It sometimes behaves differently.