Project

General

Profile

Issue #3255

Split Tunneling on Windows 10

Added by Jordan Henry 7 days ago. Updated 7 days ago.

Status:
Closed
Priority:
Normal
Category:
interoperability
Affected version:
5.4.0
Resolution:
Duplicate

Description

Hello,

I am using StrongSwan on a Raspberry Pi as "server" and a computer on Windows 10 as "client" to have a secure communication between each other. The connection and the authentication are ok but when I am trying to reach my Raspberry with a ping, for example, it is not sent through the VPN (I sniff the traffic between the Raspberry and the computer and I can see ICMP packet).

On the Raspberry, I block every ports except those for SSH, DHCP and IPSec. Below is my iptables:

Chain INPUT (policy DROP 51 packets, 4431 bytes)
 pkts bytes target     prot opt in     out     source               destination
   19  1292 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     esp  --  eth1   any     anywhere             anywhere
  645 85429 ACCEPT     tcp  --  eth1   any     anywhere             anywhere             tcp dpt:ssh
  463  168K ACCEPT     udp  --  eth1   any     anywhere             anywhere             udp dpt:bootps
   23  8972 ACCEPT     udp  --  eth1   any     anywhere             anywhere             udp dpt:500
  752  137K ACCEPT     udp  --  eth1   any     anywhere             anywhere             udp dpt:4500

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   19  1292 ACCEPT     all  --  any    lo      anywhere             anywhere
    0     0 ACCEPT     esp  --  any    eth1    anywhere             anywhere
  564  102K ACCEPT     tcp  --  any    eth1    anywhere             anywhere             tcp spt:ssh
  452  148K ACCEPT     udp  --  any    eth1    anywhere             anywhere             udp spt:bootps
   19  5516 ACCEPT     udp  --  any    eth1    anywhere             anywhere             udp spt:500
  373 68140 ACCEPT     udp  --  any    eth1    anywhere             anywhere             udp spt:4500

Here is my ipsec.conf file:

config setup
    charondebug="ike 2, knl 2, cfg 2" 

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=30s
    dpdtimeout=150s

conn red-to-blue
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes    
    rekey=no
    #Raspberry
    left=192.168.10.1
    leftauth=pubkey
    leftid="C=xx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx, N=xxx, E=xxx" 
    leftcert=cpu.crt
    leftsendcert=always   
    leftfirewall=yes
    leftsubnet=192.168.10.1/32
    #PC
    right=%any
    rightid=%any
    rightsourceip=192.168.10.100
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any

On Windows I created the VPN connection with the following commands:

Add-VpnConnection -Name "Test IPSec" -ServerAddress "192.168.10.1" -TunnelType IKEv2 -EncryptionLevel Maximum -AuthenticationMethod EAP -RememberCredential

Set-VpnConnectionIPsecConfiguration -ConnectionName "Test IPSec" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup ECP256 -Force

Add-VpnConnectionRoute -ConnectionName "Test IPSec" -DestinationPrefix 192.168.10.1/32

Set-VpnConnection -Name "Test IPSec" -SplitTunneling $True

Any advice would be appreciated.


Related issues

Is duplicate of Issue #3176: strongSwan-Windows routing troubles when accessing server's physical IP addressClosed

History

#1 Updated by Tobias Brunner 7 days ago

  • Category set to interoperability
  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Priority changed from High to Normal
  • Resolution set to Duplicate

#2 Updated by Tobias Brunner 7 days ago

  • Is duplicate of Issue #3176: strongSwan-Windows routing troubles when accessing server's physical IP address added

Also available in: Atom PDF