How to run two IKEv2 tunnels (full + split) on the same router?

MyForumUser
MyForumUser Posts: 3  Freshman Member
First Comment Fourth Anniversary
in Security

We have external staff accessing company resources via smartphones and laptops.

Previously we used IPSec IKEv1 tunnels, but now we’re moving to IKEv2.

Smartphones are already set up with an IKEv2 “all traffic” tunnel (EAP auth with username/password, config payload works fine).

Now we want laptops/PCs to connect via IKEv2 as well, but they must use split tunneling due to limited bandwidth at HQ.

When we add a second IKEv2 connection as a split tunnel, clients hit the wrong tunnel and fail to connect.

Question: How can we configure two IKEv2 tunnels on the router so that smartphones always get the full tunnel and laptops/PCs always get the split tunnel?
We’d like to keep EAP with username/password for auth and push IP settings via payload.

Thank's
Dirk

(This was kindly supported by ChatGPT)

All Replies

  • PeterUK
    PeterUK Posts: 3,963  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited 10:47AM

    I take it this is for the non H models USG?

    In windows you can disable full tunnel by VPN setting IPv4

    Screenshot 2025-08-22 104258.png

    Then for split tunnel use PowerShell

    Add-VpnConnectionRoute(VpnClient) | Microsoft Learn 

    Add-VpnConnectionRoute -ConnectionName "zyxel-router6.ddns.net" -DestinationPrefix 192.168.138.0/24

    Using StrongSwan client on phone and windows built in client both clients where able to connect but you need to change Windows EncryptionMethod to match StrongSwan default

    Phase 1
    AES256 SHA256
    DH14
    Phase 2
    AES256 SHA256
    DH2

    use PowerShell

    Set-VpnConnectionIPsecConfiguration(VpnClient) | Microsoft Learn 

    Set-VpnConnectionIPsecConfiguration -ConnectionName "zyxel-router6.ddns.net" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2 -DHGroup Group14 -PassThru -Force
  • MyForumUser
    MyForumUser Posts: 3  Freshman Member
    First Comment Fourth Anniversary

    I forgot to mention that we’re using the Zyxel VPN Client because we need the GINA feature, meaning the tunnel has to be established before Windows login.
    With the Windows built-in client this only works on a device level, but we need a user-based VPN tunnel.

  • PeterUK
    PeterUK Posts: 3,963  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    The Zyxel VPN Client should fine with that setup

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)