Hi Chris, > leftsubnet=10.72.0.0/16,192.168.1.0/24,<public ip subnet/29>,<another public > ip subnet/29>
> On Windows 7 and Windows 8 we can only access the private ip subnets > after connecting to strongswan. We have to add manually routes to > access the public ip subnet via the tunnel. Is this a known limitation > of Windows ("route only private subnets")? Yes, I think so. If the "Use default gateway on remote network" option is set, you get a default route over the VPN interface. If that is unchecked, you have the additional option to "Disable class based routing addition". As the text indicates: without a default route, Windows installs "Class based routes", which means it installs a route for the network class it gets an IP address for. Without the class based routes, you won't get a route at all. See [1] for some more info. This routing mechanism in Windows RAS is common to all VPN protocols, but unfortunately that limits the capabilities of the IKEv2 protocol. While we can negotiate complex traffic selectors, Windows can't make use of it. For split routing to anything more complex than a single A, B or C network you can't rely on the functionality provided by that client. But as you indicated, manually installing your routes could work. You could even trigger installation programmatically using the Windows RAS API. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling-with-IKEv2 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users