IKEv2/Windows Client/Split Tunnel/ Route Installation

Started by jointheflow, October 08, 2025, 08:20:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 08, 2025, 08:20:19 AM
Hi all,

I have been trying for days to get CHILD SA routes pushed to a windows client in split tunnel mode with no success

Is this just impossible on windows?

No matter what I try, the CHILD SA routes are never added to the windows routing table. I can get it working by adding the route on the client but I want windows to respect the route sent by the server

Can it be achieved?

Cheers, Nick
October 08, 2025, 08:30:51 AM #1
In windows you have to trick around via powershell and your own scripting when you use the built in client.

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#windows-10-11-native-vpn-client

If you want a client that adheres to the IKE Configuration Payload and installs routes for split tunneling, try NCP client:

https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html#windows-macos-ncp-secure-entry-client
Hardware:
DEC740
October 08, 2025, 10:53:32 AM #2 Last Edit: October 08, 2025, 11:12:28 AM by jointheflow
Hi @Monviech

Yes so this is my question...

Is there no way to establish this on a windows client without having to resort to client config?

I can get the VPN to establish fine and opnsense sends the route, but windows does respect it from my testing, and the CHILD_SA routes are never inserted into the windows routing table.

I can fix it on the client by adding the route manually (below config has 192.168.1.0/24 as LAN network on opnsense) as follows:

  Add-VpnConnection -Name "Test" -ServerAddress "vpnserver.example.com" -TunnelType IKEv2 -SplitTunneling $true -AllUserConnection
  Add-VpnConnectionRoute -ConnectionName "Test" -DestinationPrefix "192.168.1.0/24" -AllUserConnection

If I then connect, I can get to the network...

However, in opnsense if I define the CHILD_SA as a route to that network it is never added to the routing table on the windows client. It should be.. It works on other OS's and the route is created but on windows its never inserted no matter what changes I make via the UI

Is there any opnsense config available that works without client intervention on windows?. I'd be happy to use a different version of IPSEC but it seems IKEv1 is deprecated in windows 10+. I assume there is no way to actually make this work without client intervention unless I'm missing something obvious, but I keep seeing posts from older opnsense version where it works ok?

I'm not sure if this is a restriction on windows where no CHILD_SA entries on IKEv2 are respected, or if the current opnsense has a bug, or config is incorrect.

Does anyone have IKEv2 working in split tunnel with server-based routes pushed to a windows 10+ client using opnsense 25.5 or later?

Cheers, Nick.

October 08, 2025, 11:09:47 AM #3
probably a broader question

Is there ANY config in opnsense (L2TP, PPTP etc.) that would allow a windows user to create a VPN, split tunnel and get the routes..

Even if it's an opnsense plugin?

On latest windows the options seem limited to SSTP, L2TP (cert or preshare) and PPTP, but opnsense does not appear to support any of these

Seems there is no way to inject routes from opnsense to a windows client from my research..

Cheers, Nick.
October 08, 2025, 11:26:25 AM #4
Quote from: jointheflow on October 08, 2025, 11:09:47 AMIs there ANY config in opnsense (L2TP, PPTP etc.) that would allow a windows user to create a VPN, split tunnel and get the routes..

OpenVPN of course does that. I doubt there is a way that does not require installing a specific client on Windows. Even if it is IPsec.

You should not consider PPTP - that is just as good as plain text. Consider it broken. Probably even the authentication can be circumvented, so anybody can connect.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions