Zero route vs known services

mknox

Hello,

Is there a way to exclude certain routes, networks or hosts from a zero route IKEv2 VPN ?

This morning a lot of PC's downloaded an Office 365 update from Akamai that nearly killed the firebox.
My service provider even called to make sure everything was OK. We're on semi-annual release channel.

Should I start using traffic shaping to limit speeds over VPN? I find this difficult as the traffic is HTTPS.

Microsoft's delivery optimization can make things worse when everyone is remote.

Thanks for your help.

M370
FW: 12.6.3

mknox

I have used traffic management to guarantee bandwidth per IP. Not perfect but it's a start. Also I might have posted this in the wrong section, sorry.

james.carson

Hi @mknox
Unfortunately windows doesn't provide a way to make the tunnel split, or exclude routes -- it wants to build it as a forced/zero routed tunnel.

You can use powershell to edit the routes used in the IKEv2 VPN, and there are multiple tutorials around the internet showing how to do this. For most end users, this won't be feasible.

If the users would do better with split tunneling, I'd suggest using the SSLVPN, which allows for this to be configured.

kimmo.pohjoisaho

To change the IKEv2 vpn from Forced tunnel (default mode) to Split tunnel is more a Windows 10 configuration than Firebox configuration….

Open PowerShell (Run as admin) and change IKEv2 to split mode and add the on-prem network routes.

Set-VpnConnection “WG IKEv2” -SplitTunneling $true
Add-VpnConnectionRoute “WG IKEv2” 192.168.10.0/24
Add-VpnConnectionRoute “WG IKEv2” 192.168.110.0/24

More IKEv2 VPN parameters:
https://docs.microsoft.com/en-us/powershell/module/vpnclient/?view=windowsserver2019-ps

With Azure Intune it’s even easier to add and configure IKEv2 connections to multiple Windows workstations…

If you want to try IKEv2 VPN Forced Tunnel with exceptions, check these:
https://docs.microsoft.com/en-us/office365/enterprise/office-365-vpn-split-tunnel
https://docs.microsoft.com/en-us/office365/enterprise/office-365-vpn-implement-split-tunnel

watchguardian

Do you have an http proxy for the ikev2 traffic?
Then this is your solution:

https://watchguard.force.com/customers/wgknowledgebase?type=Article&SFDCID=kA10H000000g2vHSAQ&lang=en_US