[strongSwan] unity_split_include prevents VPN from connecting.

Wed Feb 22 12:53:18 CET 2012

Hi,

I have this setup that I can get working everything apart from 
split-tunnelling.

*Client(IOS)*=Pub.IP <---> Pub.IP=*Firewall*=Priv.IP=<--NAT-->=Priv.IP 
*StrongSwan*

This works with my setup: ipsec.conf

config setup
         plutostart=yes
         charonstart=yes
         nat_traversal=yes
         plutodebug=all

conn ios
         keyexchange=ikev1
         authby=xauthrsasig
         xauth=server
         left=%defaultroute
         leftsubnet=0.0.0.0/0
         leftfirewall=yes
         leftcert=ServerCert.pem
         right=%any
         rightsubnet=192.168.0.0/24
         rightsourceip=%iospool
         rightcert=ClientCert.pem
         pfs=no
         auto=add

When connected the Client(IOS) can talk to Priv.IP servers on the 
protected LAN. The problem is that it also tries to route all traffic 
via that LAN. I want it only route traffic for Priv.IP via the VPN and 
the rest to go via it's normal connection to the internet.

Reading some threads(namely one this list from 2010) it appears the way 
to do this is to set unity_split_include via:

ipsec pool --addattr unity_split_include --subnet 
"192.168.0.0/255.255.255.0"

# ipsec pool --statusattr
  type  description           pool        identity              value
28676  UNITY_SPLIT_INCLUDE                                
192.168.0.0/255.255.255.0

However, when I set this the Client(IOS) can no longer establish a VPN. 
Claims: "Negotiation with the VPN server failed".

Here is the pluto debug log from a failed attempt: 
http://lubrical.net/misc/secure.fail.log

Can anyone tell me how to fix "unity_split_include" or even just how to 
route only Priv.IP traffic via the VPN?

-- 
Tim