Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

marting · Fri Aug 25, 2017 5:29 pm

Hi,

I want to use gateway defined Split Tunneling for my Windows and Mobile terminals. But it seems to be implemented incomplete and also not Windows-compatible at all.

In short words:
Windows (latest v10) seems not to receive any subnet/route from the server in a compatible format: No route for vpn defined and no use of the vpn while disabled vpn as default gateway.
And in general only the first Split include subnet seems to has impacts:
- No push of the other subnets to the client (tested with Android OpenSwan: uses VPN only for the first subnet)
- No policy generated for the other subnets, so not possible to access the other subnets even with additional route on the client

Possible that I have errors in my config, but I do not think so:

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                  
 0   192.168.77.1/24    192.168.77.0    ether1                                                                                                                     
 1 D 192.168.1.169/24   192.168.1.0     ether6                                                                                                                     
 2   192.168.100.1/24   192.168.100.0   ether1                                                                                                                     
 3   192.168.101.1/24   192.168.101.0   ether1                                                                                                                     
 4   192.168.102.1/24   192.168.102.0   ether1                                                                                                                     
[admin@MikroTik] >        
[admin@MikroTik] > /ip ipsec export
# aug/25/2017 16:16:08 by RouterOS 6.41rc18
# software id = IXF3-V908
#
# model = 2011UiAS
# serial number = 608805______
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1 split-include=192.168.100.0/24,192.168.101.0/24,192.168.102.0/24
/ip ipsec peer
add auth-method=rsa-signature certificate=rmt17_IKEv2 exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
[admin@MikroTik] > 
[admin@MikroTik] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              REMOTE-ADDRESS                                               DYNAMIC-ADDRESS                     UPTIME              
 0 RN Martin               established        192.168.1.5                                                  192.168.77.253                      5m8s                
 1 R  Martin               established        192.168.1.4                                                  192.168.77.254                      13s                 
[admin@MikroTik] > 
[admin@MikroTik] > /ip ipsec policy print      
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.77.0/24 protocol=all proposal=default template=yes 

 1  DA  src-address=192.168.100.0/24 src-port=any dst-address=192.168.77.253/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
 
       sa-src-address=192.168.1.169 sa-dst-address=192.168.1.5 proposal=default ph2-count=1 

 2  DA  src-address=192.168.100.0/24 src-port=any dst-address=192.168.77.254/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
 
       sa-src-address=192.168.1.169 sa-dst-address=192.168.1.4 proposal=default ph2-count=1 
[admin@MikroTik] >

Windows Client:

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. Alle Rechte vorbehalten.

PS C:\Users\Martin> Get-VpnConnection "rmt17"


Name                  : rmt17
ServerAddress         : 192.168.1.169
AllUserConnection     : False
Guid                  : {2CA80302-5D72-4E49-9FE2-FF400010755A}
TunnelType            : Ikev2
AuthenticationMethod  : {MachineCertificate}
EncryptionLevel       : Optional
L2tpIPsecAuth         :
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Connected
RememberCredential    : True
SplitTunneling        : True
DnsSuffix             :
IdleDisconnectSeconds : 0



PS C:\Users\Martin> route -4 print
===========================================================================
Schnittstellenliste
 16...00 22 68 0a 36 77 ......Intel(R) 82567LM Gigabit Network Connection
 46...........................rmt17
 10...00 21 6a 31 64 48 ......Intel(R) WiFi Link 5300 AGN
  6...00 21 6a 31 64 49 ......Microsoft Hosted Network Virtual Adapter
  7...00 23 4d fb 4e 3b ......Bluetooth PAN HelpText
  1...........................Software Loopback Interface 1
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.4     25
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    331
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
      192.168.1.0    255.255.255.0   Auf Verbindung       192.168.1.4    281
      192.168.1.4  255.255.255.255   Auf Verbindung       192.168.1.4    281
    192.168.1.169  255.255.255.255   Auf Verbindung       192.168.1.4     26
    192.168.1.255  255.255.255.255   Auf Verbindung       192.168.1.4    281
     192.168.77.0    255.255.255.0   Auf Verbindung    192.168.77.254     26
   192.168.77.254  255.255.255.255   Auf Verbindung    192.168.77.254    281
   192.168.77.255  255.255.255.255   Auf Verbindung    192.168.77.254    281
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    331
        224.0.0.0        240.0.0.0   Auf Verbindung       192.168.1.4    281
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.77.254    281
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    331
  255.255.255.255  255.255.255.255   Auf Verbindung       192.168.1.4    281
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.77.254    281
===========================================================================
Ständige Routen:
  Keine
PS C:\Users\Martin> ping 192.168.100.1

Ping wird ausgeführt für 192.168.100.1 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.100.1:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),
PS C:\Users\Martin>

Android client

marlin:/storage/emulated/0 $ ifconfig tun0
tun0      Link encap:UNSPEC
          inet addr:192.168.77.253  P-t-P:192.168.77.253  Mask:255.255.255.255
          UP POINTOPOINT RUNNING  MTU:1400  Metric:1
          RX packets:110 errors:0 dropped:0 overruns:0 frame:0
          TX packets:121 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:9240 TX bytes:10164

marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip route show
10.82.144.72/29 dev rmnet_data0  proto kernel  scope link  src 10.82.144.76
30.0.226.40/30 dev rmnet_data6  proto kernel  scope link  src 30.0.226.42
192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.5
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip rule list
0:      from all lookup local
10000:  from all fwmark 0xc0000/0xd0000 lookup 99
10500:  from all oif dummy0 uidrange 0-0 lookup 1003
10500:  from all oif rmnet_data7 uidrange 0-0 lookup 1013
10500:  from all oif wlan0 uidrange 0-0 lookup 1023
10500:  from all fwmark 0xc0000/0xc0000 oif rmnet_data6 uidrange 0-0 lookup 1012
10500:  from all oif r_rmnet_data0 uidrange 0-0 lookup 1014
10500:  from all fwmark 0x40000/0x40000 oif rmnet_data0 uidrange 0-0 lookup 1006
11000:  from all iif tun0 lookup 97
12000:  from all fwmark 0x0/0x20000 iif lo uidrange 0-99999 lookup 1027
12000:  from all fwmark 0xc0069/0xcffff lookup 1027
13000:  from all fwmark 0x10063/0x1ffff lookup 97
13000:  from all fwmark 0x1000b/0x1ffff lookup 1013
13000:  from all fwmark 0x10065/0x1ffff lookup 1023
13000:  from all fwmark 0xd0066/0xdffff lookup 1012
13000:  from all fwmark 0x1000a/0x1ffff lookup 1014
13000:  from all fwmark 0x10069/0x1ffff uidrange 0-99999 lookup 1027
13000:  from all fwmark 0x10069/0x1ffff uidrange 0-0 lookup 1027
13000:  from all fwmark 0x50064/0x5ffff lookup 1006
14000:  from all oif dummy0 lookup 1003
14000:  from all oif rmnet_data7 lookup 1013
14000:  from all oif wlan0 lookup 1023
14000:  from all fwmark 0xc0000/0xc0000 oif rmnet_data6 lookup 1012
14000:  from all oif r_rmnet_data0 lookup 1014
14000:  from all oif tun0 uidrange 0-99999 lookup 1027
14000:  from all fwmark 0x40000/0x40000 oif rmnet_data0 lookup 1006
15000:  from all fwmark 0x0/0x10000 lookup 99
16000:  from all fwmark 0x0/0x10000 lookup 98
17000:  from all fwmark 0x0/0x10000 lookup 97
18000:  from all iif r_rmnet_data0 lookup 1023
18000:  from all iif r_rmnet_data0 lookup 1003
19000:  from all fwmark 0xb/0x1ffff lookup 1013
19000:  from all fwmark 0x65/0x1ffff lookup 1023
19000:  from all fwmark 0xc0066/0xdffff lookup 1012
19000:  from all fwmark 0xa/0x1ffff lookup 1014
19000:  from all fwmark 0x40064/0x5ffff lookup 1006
21000:  from all fwmark 0x69/0x1ffff lookup 1023
22000:  from all fwmark 0x0/0xffff lookup 1023
23000:  from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000:  from all unreachable
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip route show table 97
marlin:/storage/emulated/0 $
marlin:/storage/emulated/0 $ ip route show table 1027
192.168.100.0/24 dev tun0  proto static  scope link
marlin:/storage/emulated/0 $

Additionally it would be very nice to see callers name (cert name) within RemotePeers not only in Terminal but also in winbox.

Best regards
Martin

Edit: As an addition: At StrongSwan they say SplitTunneling with Windows 10 is possible: https://wiki.strongswan.org/projects/st ... with-IKEv2

idlemind · Sat Aug 26, 2017 2:39 am

The Windows 10 implementation of PowerShell 5 added command-lets for managing routes that are injected dynamically with a VPN connection.

Add-VpnConnectionRoute
Remove-VpnConnectionRoute

The PPP route section has always been for the PPP server (router side).

marting · Mon Aug 28, 2017 2:29 pm

In my understanding add-vpnconnectionroute is something like route -p add .... "vpn" (have to add each route by hand): https://technet.microsoft.com/en-us/itp ... ctionroute
Wheras the flag SplitTunneling true should cause the routes be added automatically without having to specify: https://technet.microsoft.com/en-us/itp ... ttunneling
Perhaps I misunderstand, but how would you add all Routes injected by the Server with add-vpnconnectionroute? And automatic change after modifying on the server.

marting · Wed Oct 18, 2017 2:56 pm

Are there any news on this? Nobody else have this problem?

Thu Oct 19, 2017 2:51 pm

Yes, currently only first subnet is used from splitnets in RouterOS. This will be improved in the future.

marting · Thu Oct 19, 2017 2:54 pm

Thank you for confirmation.
Any plans for timeline?

huntah · Mon Jun 18, 2018 11:57 am

Hi is there any solution for this problem on Windows10.
other than:
Add-VpnConnectionRoute -ConnectionName "My VPN" -DestinationPrefix 192.168.0.0/16 -PassThru

@Mikrotik or someone else: Is there any way to send DHCP option 121 (Static Routes) when WIn10 connect for split tunneling. I think if Mikrotik would send Split Include as those parameters it would work. Because this is the way it workis on WIndows VPN server (IKEv2). And there can be multiple Split Tunnels.

I have tried this on the lastest current 6.42.3

Mon Jun 18, 2018 12:05 pm

Windows ignores splitnets configured on the router.

A for DHCP option 121 you can already do that by configuring options on DHCP server.

huntah · Mon Jun 18, 2018 2:56 pm

@mrz

IKEv2 client gets an IP from IP-Pool (IKE-Pool). I have one or more DHCP Servers on the LAN side (Depending on VLANs..).
But for example sake lets just say I have one on Bridge-Local.

Bridge-local: 192.168.1.0/24
IKE-Pool: 192.168.200.0/24

Where do I set DHCP option 121 (on bridge-local DHCP server options) so the VPN-Client gets it? I think this is not possible (please correct me!!). This is why I said if you could send the IKE client address together with DHCP option 121..It was just a thought that how you (mikrotik) could solve this problem..

Mon Jun 18, 2018 3:10 pm

Ike2 and DHCP server are completely unrelated. DHCP server does not give out addresses after ike2 client connects, if that is what you are trying to do.

If you are asing about DHCP unrelated to ike2 connection then see the manual how to add options:
https://wiki.mikrotik.com/wiki/Manual:I ... CP_Options

huntah · Mon Jun 18, 2018 3:34 pm

Actualy yes and no

Windows Server VPN (RRAS) uses DHCP to assign IP addresses to VPN Clients.
Mikrotik uses only a IP Pool. But that is OK it works.

I am trying to put into motion (if you can) a "Feature" in addition to classic routes being sent to the client Another push of DHCP option 121 with split include settings.
If you get what I mean.

As you know the majority of Clietns are still Windows.
Or better yet if you convince MS to follow the rules

...small fish / big fish

On the side note, on PfSense I can get the routes pushed to my Win10 client.. So they are doing something that Windows client approves...

theprojectgroup · Fri Sep 14, 2018 12:29 pm

Any progress here @mrz? You mentioned some improvements in the future.
I have the same issue here with CCR and current routerOS on Windows and macOS/iOS clients.
They only use the first subnet defined in mode-config > split-include. The other subnets for the split tunnel are ignored.

emils · Mon Oct 29, 2018 11:42 am

What's new in 6.44beta28 (2018-Oct-29 07:58):

*) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

IKEv2 can now respond to DHCP Inform requests from Windows devices. This feature currently works on peers with specific Vendor ID which should include all Windows operating systems. One thing to keep in mind - Windows always requests TSr of 0.0.0.0/0, so it is necessary to allow the responder to generate policy with src-address=0.0.0.0/0.

As for iOS and macOS - they only accept the first split-network provided to them. It is a limitation on their side and there currently is no workaround.

HaPe · Tue May 05, 2020 4:37 pm

As for iOS and macOS - they only accept the first split-network provided to them. It is a limitation on their side and there currently is no workaround.

Hello, any update? Is it possible to send more than one route (split-network) to mac client?

radut · Tue May 12, 2020 11:33 am

Hi,
Was this fixed ? on testing/dev branch ?

sindy · Tue May 12, 2020 3:47 pm

This is not a bug of Mikrotik, so this is not the right forum to ask. Mikrotik cannot affect how iOS handles the received split-include list.

Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Who is online