I want to use gateway defined Split Tunneling for my Windows and Mobile terminals. But it seems to be implemented incomplete and also not Windows-compatible at all.
In short words:
Windows (latest v10) seems not to receive any subnet/route from the server in a compatible format: No route for vpn defined and no use of the vpn while disabled vpn as default gateway.
And in general only the first Split include subnet seems to has impacts:
- No push of the other subnets to the client (tested with Android OpenSwan: uses VPN only for the first subnet)
- No policy generated for the other subnets, so not possible to access the other subnets even with additional route on the client
Possible that I have errors in my config, but I do not think so:
Code: Select all
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.77.1/24 192.168.77.0 ether1
1 D 192.168.1.169/24 192.168.1.0 ether6
2 192.168.100.1/24 192.168.100.0 ether1
3 192.168.101.1/24 192.168.101.0 ether1
4 192.168.102.1/24 192.168.102.0 ether1
[admin@MikroTik] >
[admin@MikroTik] > /ip ipsec export
# aug/25/2017 16:16:08 by RouterOS 6.41rc18
# software id = IXF3-V908
#
# model = 2011UiAS
# serial number = 608805______
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1 split-include=192.168.100.0/24,192.168.101.0/24,192.168.102.0/24
/ip ipsec peer
add auth-method=rsa-signature certificate=rmt17_IKEv2 exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
[admin@MikroTik] >
[admin@MikroTik] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 RN Martin established 192.168.1.5 192.168.77.253 5m8s
1 R Martin established 192.168.1.4 192.168.77.254 13s
[admin@MikroTik] >
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.77.0/24 protocol=all proposal=default template=yes
1 DA src-address=192.168.100.0/24 src-port=any dst-address=192.168.77.253/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=192.168.1.169 sa-dst-address=192.168.1.5 proposal=default ph2-count=1
2 DA src-address=192.168.100.0/24 src-port=any dst-address=192.168.77.254/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=192.168.1.169 sa-dst-address=192.168.1.4 proposal=default ph2-count=1
[admin@MikroTik] >
Code: Select all
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. Alle Rechte vorbehalten.
PS C:\Users\Martin> Get-VpnConnection "rmt17"
Name : rmt17
ServerAddress : 192.168.1.169
AllUserConnection : False
Guid : {2CA80302-5D72-4E49-9FE2-FF400010755A}
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Optional
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Connected
RememberCredential : True
SplitTunneling : True
DnsSuffix :
IdleDisconnectSeconds : 0
PS C:\Users\Martin> route -4 print
===========================================================================
Schnittstellenliste
16...00 22 68 0a 36 77 ......Intel(R) 82567LM Gigabit Network Connection
46...........................rmt17
10...00 21 6a 31 64 48 ......Intel(R) WiFi Link 5300 AGN
6...00 21 6a 31 64 49 ......Microsoft Hosted Network Virtual Adapter
7...00 23 4d fb 4e 3b ......Bluetooth PAN HelpText
1...........................Software Loopback Interface 1
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 25
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 331
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 331
127.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 331
192.168.1.0 255.255.255.0 Auf Verbindung 192.168.1.4 281
192.168.1.4 255.255.255.255 Auf Verbindung 192.168.1.4 281
192.168.1.169 255.255.255.255 Auf Verbindung 192.168.1.4 26
192.168.1.255 255.255.255.255 Auf Verbindung 192.168.1.4 281
192.168.77.0 255.255.255.0 Auf Verbindung 192.168.77.254 26
192.168.77.254 255.255.255.255 Auf Verbindung 192.168.77.254 281
192.168.77.255 255.255.255.255 Auf Verbindung 192.168.77.254 281
224.0.0.0 240.0.0.0 Auf Verbindung 127.0.0.1 331
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.1.4 281
224.0.0.0 240.0.0.0 Auf Verbindung 192.168.77.254 281
255.255.255.255 255.255.255.255 Auf Verbindung 127.0.0.1 331
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.1.4 281
255.255.255.255 255.255.255.255 Auf Verbindung 192.168.77.254 281
===========================================================================
Ständige Routen:
Keine
PS C:\Users\Martin> ping 192.168.100.1
Ping wird ausgeführt für 192.168.100.1 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Ping-Statistik für 192.168.100.1:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
(100% Verlust),
PS C:\Users\Martin>
Code: Select all
marlin:/storage/emulated/0 $ ifconfig tun0
tun0 Link encap:UNSPEC
inet addr:192.168.77.253 P-t-P:192.168.77.253 Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1400 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0
TX packets:121 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:9240 TX bytes:10164
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip route show
10.82.144.72/29 dev rmnet_data0 proto kernel scope link src 10.82.144.76
30.0.226.40/30 dev rmnet_data6 proto kernel scope link src 30.0.226.42
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.5
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip rule list
0: from all lookup local
10000: from all fwmark 0xc0000/0xd0000 lookup 99
10500: from all oif dummy0 uidrange 0-0 lookup 1003
10500: from all oif rmnet_data7 uidrange 0-0 lookup 1013
10500: from all oif wlan0 uidrange 0-0 lookup 1023
10500: from all fwmark 0xc0000/0xc0000 oif rmnet_data6 uidrange 0-0 lookup 1012
10500: from all oif r_rmnet_data0 uidrange 0-0 lookup 1014
10500: from all fwmark 0x40000/0x40000 oif rmnet_data0 uidrange 0-0 lookup 1006
11000: from all iif tun0 lookup 97
12000: from all fwmark 0x0/0x20000 iif lo uidrange 0-99999 lookup 1027
12000: from all fwmark 0xc0069/0xcffff lookup 1027
13000: from all fwmark 0x10063/0x1ffff lookup 97
13000: from all fwmark 0x1000b/0x1ffff lookup 1013
13000: from all fwmark 0x10065/0x1ffff lookup 1023
13000: from all fwmark 0xd0066/0xdffff lookup 1012
13000: from all fwmark 0x1000a/0x1ffff lookup 1014
13000: from all fwmark 0x10069/0x1ffff uidrange 0-99999 lookup 1027
13000: from all fwmark 0x10069/0x1ffff uidrange 0-0 lookup 1027
13000: from all fwmark 0x50064/0x5ffff lookup 1006
14000: from all oif dummy0 lookup 1003
14000: from all oif rmnet_data7 lookup 1013
14000: from all oif wlan0 lookup 1023
14000: from all fwmark 0xc0000/0xc0000 oif rmnet_data6 lookup 1012
14000: from all oif r_rmnet_data0 lookup 1014
14000: from all oif tun0 uidrange 0-99999 lookup 1027
14000: from all fwmark 0x40000/0x40000 oif rmnet_data0 lookup 1006
15000: from all fwmark 0x0/0x10000 lookup 99
16000: from all fwmark 0x0/0x10000 lookup 98
17000: from all fwmark 0x0/0x10000 lookup 97
18000: from all iif r_rmnet_data0 lookup 1023
18000: from all iif r_rmnet_data0 lookup 1003
19000: from all fwmark 0xb/0x1ffff lookup 1013
19000: from all fwmark 0x65/0x1ffff lookup 1023
19000: from all fwmark 0xc0066/0xdffff lookup 1012
19000: from all fwmark 0xa/0x1ffff lookup 1014
19000: from all fwmark 0x40064/0x5ffff lookup 1006
21000: from all fwmark 0x69/0x1ffff lookup 1023
22000: from all fwmark 0x0/0xffff lookup 1023
23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000: from all unreachable
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip route show table 97
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip route show table 1027
192.168.100.0/24 dev tun0 proto static scope link
marlin:/storage/emulated/0 $
Best regards
Martin
Edit: As an addition: At StrongSwan they say SplitTunneling with Windows 10 is possible: https://wiki.strongswan.org/projects/st ... with-IKEv2