I'm trying to create an ikev2 VPN using StrongSwan on an ubuntu server.
Now, in Windows 10 clients, use default gateway on remote network
option is off by default; so when I connect to the server, traffic bypasses VPN completely unless I enable that option manually.
However, Windows 10 Mobile doesn't have that option.
On StrongSwan website, there's a paragraph about this issue and how to solve it:
Microsoft changed Windows 10 Desktop and Mobile VPN routing behavior
for new VPN connections. Option "Use default gateway on remote network
option" in the Advanced TCP/IP settings of the VPN connection is now
disabled by default. You can enable this option on Desktop but there
is no way to do this on Mobile. Fortunately, Windows sends DHCP
request upon connection and add routes supplied in option 249 of DHCP
reply.
(And then a sample dnsmasq configuration file)
But it's unclear about how should I configure StrongSwan that way, and I couldn't find any good resources clarifying this.
So the question is, how can I configure StrongSwan in a way that tells Windows 10 to move whole internet traffic (ipv4) through VPN?
Here's my ipsec.conf
:
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=172.16.16.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
# forceencaps=yes
rightauth=pubkey
rightauth2=xauth
auto=add
Best Answer
if you install dnsmasq and put this in the
/etc/dnsmasq.conf
it adds two static routes on windows clients. The routes are
0.0.0.0/1
witch is the first half of the ipv4 address range and128.0.0.0/1
witch is the second half.For some reason you can't just do
0.0.0.0/0
but you have to divide it into two ranges.I'm assuming windows ignores
/0
because static routes are not meant to act as a default gateway