[strongSwan] Windows native VPN client routing problem

Marian Kechlibar marian.kechlibar at circletech.net
Thu Jan 11 09:35:15 CET 2018 

Hi all,

this is a description of a problem that I spent a better part of
yesterday struggling with. I am sending a description of the problem and
the solution for anyone who might be interested.

I also have the feeling that this might be suited for the StrongSwan
Wiki. Please let me know whether I should add it there.

So.

The symptoms
------------
Server: strongswan 5.5.3 on CentOS 7.
Client: native Windows VPN client, Windows 7 or Windows 10.

Upon connection, the client ignores the traffic selectors sent by the
server. A "print route" command will reveal that they were not added to
the routing table. But non-Windows clients (Linux, Android) are routing
well, so the server is probably correctly set up.

Setting log level of charon to 2 will reveal that the traffic selectors
are indeed sent correctly.

The cause
---------
Windows native VPN client ignores the traffic selectors unless your
client IP address is from the same range. So if you get, say,
10.105.107.31 and your local_ts is 10.105.107.0/24, your routing will be
OK, but if your local_ts is 172.17.1.0/24, it will not.

Whether this is a bug or a weird feature, I do not know. That is how
things go with Microsoft.

The solution
------------
AFAIK there is no way how to force the native client into acknowledging
the traffic selectors sent by the server.

All workarounds require Administrator privileges on the client Windows
installation, at least for a few minutes.

If your traffic selectors are dynamic, you are better off with another,
non-native Windows client.

If your traffic selectors are static, you can set up permanent routes on
your system from Administrator's command line like this.

First, you need to know the interface number of your VPN. Connect the
VPN (even though the routing is bad) and run "route print". At the
beginning of the output, list of all the interfaces is given. Each line
represents one interface and begins with number of the interface. In my
case, the VPN usually has something like 30.

Disconnect the VPN and run the following command from your
Administrator's command line:

route -P add (range) mask (mask) (gateway) IF (interface number)

This will create a permanent route tied to your VPN. After that, a
regular Windows user will be able to connect the VPN with correct routing.

On Windows 10, there is another solution using a PowerShell script. In
case of interest, I can describe it as well.

Best regards

Marian Kechlibar
Prague, CZ

More information about the Users mailing list