[strongSwan] Guidance on split-exclude when using Unity plugin

Thu Jan 31 20:44:18 CET 2013

Hi,

I'm trying to configure split-tunneling to exclude certain
cherry-picked addresses from the VPN tunnel using the Unity plugin.
for reasons I can't figure it is resulting in the excluded addresses
seemingly black-holing on the client-side.   To validate my
assumptions, I'd like to outline what I'm doing and hopefully someone
can put out where I'm going wrong or what I'm failing to grock.

I have a VPN (strongswwan 5.0.2) which is a gateway for all traffic
(IOS devices, ikev1).  I would like to exclude certain "sites" (aka
hostnames) from that.  I realize that the terminology "sites" doesn't
quite apply since strongswan only speaks network addresses/subnets but
I get that.

To pick a contrived example.  Lets say I wanted to exclude the site
www.2600.com (which, as it happens, has 1 fixed static address of
207.99.30.226), from being tunneled via the VPN I would put the
following in /etc/strongswan.conf:

charon {
        ...

        cisco_unity = yes

        plugins {
                attr {
                        split-exclude = 207.99.30.226/32
                }

ok - now when I try to do a: curl http://www.2600.com the traffic just
blocks/stalls on the client-side.  If I go to <another other address>
I can see (via tcpdump) that the traffic is arriving at the VPN server
just fine.

So what his tells me is both good news and bad news.  Good news: the
split-exclude config does seem to be pushing out the relevant config
to the client.  Bad news: the client is somehow not able to route the
excluded traffic directly (not via the VPN).  I have replicated this
on both IOS clients and an Ubuntu strongswan client.  I'm sure I'm
missing something fundamental.

This is my server config:

conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsourceip=10.0.0.0/20
        auto=add
        rekey=no

Any ideas what the issue could be?  I expect it is something really
fundamental/basic.

Is the leftsubnet option of "0.0.0.0/0" the culprit here?  i.e. can
you on one hand say "route everything via the VPN" and on another hand
say "but not 207.99.30.226/32". i.e. where does that leave traffic
destined for 207.99.30.226/32?   Am I just totally off base?  If not
what is the right way to write such a config?

Please advise where I'm going wrong.  All feedback greatly appreciated.

Thanks,