[strongSwan] Fwd: Windows native VPN client routing problem

Giuseppe De Marco giuseppe.demarco at unical.it
Thu Jan 11 10:10:57 CET 2018

def gw Route's metric in Windows can be changed runtime.
If you want to fix the def gw from vpn in windows 10 just go in NIC
propriety of the vpn network interface, network, ipv4 -> Propriety,
Advanced, Use default gateway, then apply :)


2018-01-11 9:35 GMT+01:00 Marian Kechlibar <marian.kechlibar at circletech.net>

> Hi all,
> this is a description of a problem that I spent a better part of
> yesterday struggling with. I am sending a description of the problem and
> the solution for anyone who might be interested.
> I also have the feeling that this might be suited for the StrongSwan
> Wiki. Please let me know whether I should add it there.
> So.
> The symptoms
> ------------
> Server: strongswan 5.5.3 on CentOS 7.
> Client: native Windows VPN client, Windows 7 or Windows 10.
> Upon connection, the client ignores the traffic selectors sent by the
> server. A "print route" command will reveal that they were not added to
> the routing table. But non-Windows clients (Linux, Android) are routing
> well, so the server is probably correctly set up.
> Setting log level of charon to 2 will reveal that the traffic selectors
> are indeed sent correctly.
> The cause
> ---------
> Windows native VPN client ignores the traffic selectors unless your
> client IP address is from the same range. So if you get, say,
> and your local_ts is, your routing will be
> OK, but if your local_ts is, it will not.
> Whether this is a bug or a weird feature, I do not know. That is how
> things go with Microsoft.
> The solution
> ------------
> AFAIK there is no way how to force the native client into acknowledging
> the traffic selectors sent by the server.
> All workarounds require Administrator privileges on the client Windows
> installation, at least for a few minutes.
> If your traffic selectors are dynamic, you are better off with another,
> non-native Windows client.
> If your traffic selectors are static, you can set up permanent routes on
> your system from Administrator's command line like this.
> First, you need to know the interface number of your VPN. Connect the
> VPN (even though the routing is bad) and run "route print". At the
> beginning of the output, list of all the interfaces is given. Each line
> represents one interface and begins with number of the interface. In my
> case, the VPN usually has something like 30.
> Disconnect the VPN and run the following command from your
> Administrator's command line:
> route -P add (range) mask (mask) (gateway) IF (interface number)
> This will create a permanent route tied to your VPN. After that, a
> regular Windows user will be able to connect the VPN with correct routing.
> On Windows 10, there is another solution using a PowerShell script. In
> case of interest, I can describe it as well.
> Best regards
> Marian Kechlibar
> Prague, CZ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/0878c56d/attachment.html>

More information about the Users mailing list