[strongSwan] Ikev2 Windows 7 and 8
Martin Willi
martin at strongswan.org
Mon Mar 23 08:58:13 CET 2015
Hi Chris,
> leftsubnet=10.72.0.0/16,192.168.1.0/24,<public ip subnet/29>,<another public ip subnet/29>
> On Windows 7 and Windows 8 we can only access the private ip subnets
> after connecting to strongswan. We have to add manually routes to
> access the public ip subnet via the tunnel. Is this a known limitation
> of Windows ("route only private subnets")?
Yes, I think so.
If the "Use default gateway on remote network" option is set, you get a
default route over the VPN interface. If that is unchecked, you have the
additional option to "Disable class based routing addition". As the text
indicates: without a default route, Windows installs "Class based
routes", which means it installs a route for the network class it gets
an IP address for. Without the class based routes, you won't get a route
at all. See [1] for some more info.
This routing mechanism in Windows RAS is common to all VPN protocols,
but unfortunately that limits the capabilities of the IKEv2 protocol.
While we can negotiate complex traffic selectors, Windows can't make use
of it.
For split routing to anything more complex than a single A, B or C
network you can't rely on the functionality provided by that client. But
as you indicated, manually installing your routes could work. You could
even trigger installation programmatically using the Windows RAS API.
Regards
Martin
[1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling-with-IKEv2
More information about the Users
mailing list