IKEv2 Disable Split Tunneling not working

nielsscheldeman

I want to set up IKEv2 VPN Connection where I want my cliënt to be able to use the remote internet connection, so we can use the fix WAN IP on the server side. I set SecuExtender to Disable Split Tunneling and I added a policy route on the flex with IKEv2_VPN as member, Source address the IKEv2 pool and as Next-Hop: Trunk, WAN_Trunk.

However on the Cliënt if I then do a tracert to 8.8.8.8, it gives request timed out. The tunnel works fine, I'm able to access the local server.

smb_corp_user

I do not remember the setup, but I think you need to add an extra routing rule as well.

WJS

If you are using policy-based VPN, please remember to allow 0.0.0.0 in Phase 2.

nielsscheldeman

https://community.zyxel.com/en/discussion/comment/49688#Comment_49688

Hmm, in what section do I have to configure that?

StefanZ

Phase-2 is "VPN Connection" settings.

Phase-1 is "VPN Gateway" settings.

You might have to display advanced options.

Zyxel_Kevin

Hi @nielsscheldeman

Greeting Forum, Please kindly share your config file by private message.

Thank you

nielsscheldeman

https://community.zyxel.com/en/discussion/comment/49738#Comment_49738

Yes I know :) This is my Phase2 config:

Zyxel_Kevin

Hi @nielsscheldeman ,

Please allow 0.0.0.0/0 in Phase2 policy also ensure VPN client Remote LAN address is "0.0.0.0'

In this way, All traffic will route into Firewall. Thank you

nielsscheldeman

https://community.zyxel.com/en/discussion/comment/49811#Comment_49811

Apologies, but I don't see where I can allow that? client is already configured like that.

Zyxel_Kevin

Hi @nielsscheldeman ,

Please set the Local Policy to 0.0.0.0/0 . If the issue still persist we can have remote session to assist you.

Thank you

nielsscheldeman

Hello, local policy set to 0.0.0.0 did indeed the trick, thank you!

But what if I want only certain users to do full tunnel? I see that in SecuExtender if I turn off or on "Disable Split Tunneling", it doesn't make any difference. The client keeps using the internet connection of the VPN.

I only want certain users to do the full tunnel and I think it's the simplest to manage it on the client itself. I thought simply turning off or on the checkbox would do the trick.