Ubuntu – StrongSwan ikev2 routing through VPN in Windows 10

ikev2ipsecstrongswanUbuntuvpn

I'm trying to create an ikev2 VPN using StrongSwan on an ubuntu server.

Now, in Windows 10 clients, use default gateway on remote network option is off by default; so when I connect to the server, traffic bypasses VPN completely unless I enable that option manually.

However, Windows 10 Mobile doesn't have that option.

On StrongSwan website, there's a paragraph about this issue and how to solve it:

Microsoft changed Windows 10 Desktop and Mobile VPN routing behavior
for new VPN connections. Option "Use default gateway on remote network
option" in the Advanced TCP/IP settings of the VPN connection is now
disabled by default. You can enable this option on Desktop but there
is no way to do this on Mobile. Fortunately, Windows sends DHCP
request upon connection and add routes supplied in option 249 of DHCP
reply.

(And then a sample dnsmasq configuration file)

But it's unclear about how should I configure StrongSwan that way, and I couldn't find any good resources clarifying this.

So the question is, how can I configure StrongSwan in a way that tells Windows 10 to move whole internet traffic (ipv4) through VPN?

Here's my ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=172.16.16.0/24

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any

conn CiscoIPSec
    keyexchange=ikev1
    # forceencaps=yes
    rightauth=pubkey
    rightauth2=xauth
    auto=add

Best Answer

if you install dnsmasq and put this in the /etc/dnsmasq.conf

dhcp-vendorclass=set:msipsec,MSFT 5.0
dhcp-range=tag:msipsec,172.16.16.0,static
dhcp-option=tag:msipsec,6
dhcp-option=tag:msipsec,249, 0.0.0.0/1,0.0.0.0, 128.0.0.0/1,0.0.0.0

it adds two static routes on windows clients. The routes are 0.0.0.0/1 witch is the first half of the ipv4 address range and 128.0.0.0/1 witch is the second half.

For some reason you can't just do 0.0.0.0/0 but you have to divide it into two ranges.
I'm assuming windows ignores /0 because static routes are not meant to act as a default gateway

Related Topic