Hi Chris, >> So my question to you is why is the route being injected BEFORE the >> tunnel is fully authenticated? > > It isn't. However, that MFA you use isn't integrated into the IKE > authentication. So for the IKE client (and server) the IKE_SA is > established successfully. I guess if the MFA fails or times out the > server would just terminate the previously established SA.
Actually, from what I read, this is implemented via RADIUS. So it is integrated into the IKE authentication. The route you are referring to is probably the one we install to avoid traffic leaks while the VPN is established (this happens even before the first message is sent). However, if you exclude the MFA app it should be excluded from that initial route as well. Make sure you don't have Android's system-wide traffic block enabled, though. As that block all traffic if no VPN is established (i.e. there is no split-tunneling). Regards, Tobias
