TransWikia.com

Mikrotik IKEv2/ipsec + Windows 10 = no split include routes

Server Fault Asked on November 4, 2021

I am deploying a solution using IKEv2+ipsec with certificates to connect roadwarriors to corporate network. Mikrotik CHR is used as entry point.

All was swift until I started deploying the solution on Dell notebooks.
Once connection to the router is established, laptop doesn’t get split includes, and only VPN subnet is available. On the contrary, my admin PC, which is stationary workstation, has no such problems.

Windows 10 receiving split includes using DHCP.
After some research I found out that for some reason, Dell-provided Windows 10 Pro 1909 fails to send DHCP request to the router. Laptops get their address, DNS, only split include routes are lost. Also, DHCP works well on Wi-Fi adapter.

What was done:

  • Logs at router were examined for both laptop and admin PC. No DHCP requests was found when laptop connects.
  • Traffic was sniffed at Microtik CHR: DHCP request, which comes from admin machine, doesn’t come from notebook.
  • Traffic was sniffed at notebook, and no DHCP requests were detected.

Rebooting, resetting ip and winsock using netsh, reverting to older wi-fi driver, deleting and re-creating WAN Miniports, enforcing DHCP for a connection, dancing around a laptop – all that didn’t help.

Currently the only solution that works is a clean MSDN version of Windows 10 1909 installation. With this one, laptops get their split includes well. However, it doesn’t seem a sound solution to me.

My questions are:

  • What is possible cause of the problem?
  • What can be done to fix it?

One Answer

Problem solved. The reason was misconfiguration of border router.

However, few advices for those, who are messed with likewise problem.

  • First try connecting to another source of Internet (my mistake was connecting to the phone which was in turn connected to local WiFi, and therefore routed to the very same router) and verify.
  • If the problem persists, you may use Add-VpnConnectionRoute PowerShell commandlet to manually add routes to your VPN connection. It is the method to be used, as route add will add routes not depended on VPN connection.
  • Routes added to related connection part in rasphone.pbk.
  • In general, PowerShell commandlets Add-VpnConnection and Add-VpnConnectionRoute are great tools to create connections, as they allow to implement almost any deployment scenario.
  • If, despite added routes, no traffic comes to the tunnel, install traffic capture software, such as Wireshark, and monitor ipsec traffic. As packets are most likely encrypted, all you can see is whether there are ipsec packets coming and going, and thus narrow down debugging tasks.

Answered by Eugene on November 4, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP