• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense 2.2.4 - split-tunneling using windows clients - missing route to vpn

Scheduled Pinned Locked Moved IPsec
8 Posts 6 Posters 7.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    scottzech
    last edited by Aug 6, 2015, 1:41 AM

    Hey Jimp or whoever else sees this! I changed to a new thread since your steered me to a new idea vpn wise. (greatly appreciated)

    I now have setup ipsec using ikev2, and eap-mschapv2 following the guide on pfsense.org (thank you doc folks!)
    I alter the vpn connection on windows 8.1 and uncheck the route to remote gateway, which should allow split tunneling if I understand properly. IPSEC on pfsense 2.2.4 is set to provide a virtual address 192.168.250.x which is known to not conflict with any users remote networks.

    This leaves mobile windows 8 clients using their own ISP for internet access, and a connected vpn to the office, EXCEPT, their is no route added to the windows clients for 10.0.0.0/8 network in the office.
    I can add that  using route add 10.0.0.0/8 192.168.250.x but the problem is that the 192.168.250.x address is virtual and will change!
    so even -p (persistent) route doesn't help here.

    I can't imagine I am the only one wanting to do this, and feel I must just be missing something simple.
    I really would prefer to make this work without adding .cmd files to add the route manually.

    Can someone please help me out here with some ideas??

    thanks, scott

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Aug 7, 2015, 2:46 PM

      We looked this over via the support ticket system, but I'll respond here as well:

      Looking over the IPsec daemon documentation it appears what you are after may not be possible in a way that is both usable and desirable. It's a limitation of the Windows VPN client and not pfSense or IKEv2. The Windows client has no mechanism to receive routes/subnets over IKEv2 other than the VPN tunnel network itself. Unfortunately that's how the Windows client has always worked even with PPTP.

      With "Use default gateway on remote network" unchecked all it will do is forward traffic for the VPN subnet itself, in your case, 192.168.50.x. Trying to fake that out by supplying the LAN network for the VPN tunnel network had issues as well and was not viable.

      So it seems there are few choices here, none of which are all that good:

      • Let it tunnel all across the VPN while the clients are connected (and keep blocking Internet access) – this is the most secure choice, though not terribly convenient

      • Manually add the route to accomplish the split tunneling, which is also not very convenient

      • Use a different VPN type/client that does properly support split tunneling (e.g. OpenVPN, Shrew Soft perhaps using xauth, etc)

      • If all the clients are Windows 8.1 or later you might be able to rig something up with Windows Powershell cmdlets:
        https://technet.microsoft.com/en-us/library/dn262649.aspx

      If you want to stay with IPsec, what you are trying to do should work fine with the Shrew client and an xauth style IPsec VPN ( https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To ). OpenVPN works excellently for split tunnel VPNs and may be a better way forward ( https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server )

      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • T
        timboau
        last edited by Aug 13, 2015, 2:48 AM

        Is there a working config for Shrew Soft (happy to router all without split tunnel) that works with Windows 8.1 / 10?

        I have a working config that's fine with iOS, Windows 7 etc

        It appears to be a routing issue, even adding the route via Shew Soft doesnt seem to help (It shows the route in Shrew VPN trace but there is no published route in the OS

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by Aug 13, 2015, 5:48 AM

          W10? Don't think it works there at all…

          1 Reply Last reply Reply Quote 0
          • K
            kapara
            last edited by Jul 11, 2016, 4:19 PM

            On windows 8.1 and 10 you use powershell to allow this.  checking or unchecking the use default gateway does not work for me.  below has worked flawlessly for me on over 40 laptops which connect remotely that are using windows 10.

            Add-VpnConnection -Name "NameofVPN" -ServerAddress "pfsense.domain.com" -TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling -AllUserConnection

            Add-VpnConnectionRoute -ConnectionName "NameofVPN" -DestinationPrefix "Remote subnet"/24 -PassThru

            replace RemoteSubnet with 192.168.1.0 (Ex)  or what ever your remote subnet is.

            Skype ID:  Marinhd

            1 Reply Last reply Reply Quote 0
            • C
              chris2016
              last edited by Oct 5, 2016, 5:32 PM

              @jimp:

              With "Use default gateway on remote network" unchecked all it will do is forward traffic for the VPN subnet itself, in your case, 192.168.50.x. Trying to fake that out by supplying the LAN network for the VPN tunnel network had issues as well and was not viable.

              What issues are this? I've seen an old (Debian) PPTP daemon config where exactly this was done. I'm just curious. Is this possible because it's a point-to-point link? Is there any arp proxying required?

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Oct 5, 2016, 6:16 PM

                There would be no ARP request, and it is not bridged.

                The PPTP method used to work on pfSense as well because it faked the ARP step. While it may also be possible to fudge this with a proxy ARP VIP on pfSense matching the size of the IPsec subnet, it's ugly and you'd have to be careful not to step on the mobile client range with statics or local DHCP clients.

                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • C
                  chris2016
                  last edited by Oct 5, 2016, 6:29 PM

                  Thank you for your quick reply. Had the same problem scottzech posted and I will probably use OpenVPN now.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received