Richard Bucker

Edgerouter IPSec Split Tunneling

Posted at — Apr 2, 2019

BackgroundYou have a sever/network behind a Ubiquiti Edgerouter configured to be an IPSec server.You have an Android or ChromeOS device that you have configured to connect to the IPSec server and the allowed networks/devices behind it.DefinitionsThere are essentially 3 types of configurations an admin or corporate security might specify… and without knowing the exact terms myself…1. forced no way out. - all network traffic is sent thru the VPN but there is no way back to the public internet.2. forced tunnel all. - all network traffic is sent thru the VPN and all public access too. This is what many VPN vendors are selling and how some ISPs improve performance to the last mile by compressing data.3. just the allowed networks. - only packets destined to the allowed IPs and CIDRs will be routed through the tunnel.This is a bit frustrating because unlike OpenVPN there is no “push” and so the client makes certain decisions about what goes where. While there are so many 3rd party companies describing #3 it seems that they own both the client and server side.Now what?Ubiquiti says that all of these configurations are possible, however, they stop there and provide no more. ChromeOS hints at this functionality in their docs however you gotta pay to play. The stock Android IPSec does not offer any hints.UPDATEThe ERX is do incredibly buggy!!!