I have these ipsec mode configs which work perfectly fine:
add address-pool="ipsec ikev2 vpn.domaint.ldl" address-prefix-length=32 name=\
ike2-conf split-include=10.0.0.0/8
add address-pool=ipsec_user1 address-prefix-length=32 name=user1-ipsec \
split-include=10.0.0.0/8
I assign one the mode configs alternatively to one ipsec identity, and the ipsec connection gets one ip of the correct pool, so that is working.
Now I would like to have all traffic of one of the road warriors going through the tunnel so I thought, let’s create one mode-config with split-include=0.0.0.0/0 and assign it to an identity.
add address-pool=ipsec_user address-prefix-length=32 name=ipsec_user_all_in \
split-include=0.0.0.0/0
Then I assign the mode config to the identity:
add auth-method=digital-signature certificate=vpn.domain.tld generate-policy=\
port-strict match-by=certificate mode-config=ipsec_user_all_in peer=ike2 \
policy-template-group=ike2-policies remote-certificate=userdomain.tld \
remote-id=user-fqdn:user@domain.tld
I then connect (iphone), and I get the right ip from the right pool, but no traffic goes through. In the logs I see no firewall denied messages (I log all denied packets) ; switching to the mode-config using the split-include=10.0.0.0/8 gets it working again, but obviously not the desired situatation in this case.
I am missing something simple, but do not not know what. Any help greatly appreciated.