IKEv2 Multi WAN / SD WAN
Just curious about something here. Recently I have been having select users move from SSL-VPN to IKEv2 due to the speed increase of IKEv2 hoping to eliminate the dropped RDP sessions they are experiencing.
Not using RADIUS, just Firebox users.
Now IKEv2 doesn't allow a split VPN so all traffic runs through the tunnel. If those are the rules I will play by them. ;-)
Now I have a multi-wan configuration utilizing SDwan for routing, one connection is fast, while the other is slow. T-1 like slow.
If I connect a PC to the IKEv2 VPN and perform a tracert to yahoo.com, DNS resolves as expected but the external connection defaults to my slow T-1. Which sorta defeats the purpose of a faster VPN connection right?
For fun I edit the default IKEv2 Users policy and enable SDwan sending outbound traffic out the fast external connection.
After I do this DNS no longer resolves and a tracert to yahoo.com fails, as does a tracert to 220.127.116.11
Disabling SDwan makes everything work fine again.
The IKEv2 connection is pointed to one of the external IP's of my fast Internet connection, but my outbound IP is a different address on that subnet.
How does IKEv2 determine the external IP and routing of the VPN connection, and why does enabling SDwan blow everything up?
Bruce you out there?
Thanks for any input!
It's usually something simple.