I have Always On VPN running about 80% of the way and I am able to establish user and device tunnels manually in the GUI.
The tunnels are IKEv2. The user tunnel is using PEAP/certificates etc per the official documentation and the device tunnel connected using a machine certificate.
Using a static pool for handing out addresses. The subnet I am handing out to client doesn't exist anywhere on my network for the moment I am just adding static routes where needed for testing.
If I connect with a device tunnel and add static routes on internal resources for the static pool subnet, I am able to communicate with the internal resources.. ping RDP etc. (however things like CIFS shares would not work, not sure why).
If I connect with a user tunnel I cannot get to any internal resources in any way.
When doing a tracert from an internal resource back to the client IP over a device tunnel the first hop is the RAS server internal interface (because that is what my static route specified) and the second hop is the external interface of the RAS server's gateway.
When doing a tracert from an internal resource back to the client IP over a user tunnel the first hop is the RAS server internal interface and then it dies. It never goes to the external interface like the machine tunnel does.
This is a 2019 server and I think it may be a little buggy (things like DHCP for the pool does not work yet it did on a 2016 server with the same configuration, the timezone couldn't be set in the settings.. I had to open the older style gui to change the timezone). Microsoft is looking into those two things.
How come the user tunnel behaves differently than the device tunnel for this basic connectivity testing?