Hi,
I have been trying to get IKEv2 VPN access working for a long time. Finally, client connection (ANDROID) works for me including certificates.
So the client gets into the internal network.
But I would need traffic to be tunneled to the Internet via the VPN, and I can't set that up. Some client applications need access to the local network and the Internet at the same time. I don't know how to do it at all.
Can someone please advise me?
The export settings are in the attachment. Thanks a lot.

Martin

Try to change the DNS of the mode-config to 8.8.8.8

Thanks for advice but it does not help. If I change it, it is still not working.
The DNS 192.168.1.16 is fully functional DNS server with some additional local names.
By my opinion there is some problem with routing from IKEv2 to internet. But I cannot find the problem.

Before I forget, I highly advise you to hide sensitive information about L2TP VPN pronto! Also, you're lacking a rule which allows out ipsec traffic or its modified for your needs variant which is a default configuration one

Thanks for advice. The passwords in the file are fakes. I have changed it before upload.
Can you give me an examples of the rule which allows out ipsec traffic ?
I would appreciate any hint.

Thanks.

That would be an example firewall rule that allows out ipsec traffic. You can customise it according to your needs

I have exactly the same problem. Android and Windows clients connect via ikev2 ssl, the ping goes to the local network and the Internet, the address is resolved all over the Internet, only Google search opens from the site and that's it. What is the problem? Can the author solve this problem?

Thanks for advice but adding
/ip firewall filter
add chain=forward ipsec-policy=out,ipsec action=accept

for outgoing traffic did not solved the issue.
There were pakets passing thgought this rule but the client has still no internet access. The client has still access only to local network.

I also noticed that you have a masquerading nat rule only for ipsec-policy=out,none:

Code: Select all

/ip firewall nat
add action=masquerade chain=srcnat comment=MSQRD ipsec-policy=out,none \
    log-prefix="NAT MSQRD" out-interface=pppoe-out1 src-address=\
    100.100.100.0/24

Better would be if there weren't any ipsec-policy or it were ipsec-policy=in,ipsec

Thanks, this NAT is never triggered. the packets are disappearing somewhere before it.

Hi,

thanks all for help.
The solution is simple. The original configuration works well, no additinal NAT is required.
But in IPSec Mode config has to be set Split include: 0.0.0.0/24 .
The original seting to local net has to be deleted! If you only add 0.0.0.0/24 there it does not work!
So, Include split: 0.0.0.0/24 instead local network and it is solved.