[strongSwan] Split tunnel config per user (IOS)

[Martin Willi]

Hi,

> you can assign different configurations (they are called pools there)
> to different client profiles.

With these pools definition you define configuration attributes to
assign to the client. You can assign Split-Includes attributes this way,
but this is not the way our unity plugin works.

> However, at the moment it seems like Unity split tunnel config is a
> global setting in strongswan.

Only if you assign them via global configuration attributes, for example
using the attr plugin.

> Is there any specific architecture reason it needs to be this way or is
> it just a current limitation?

When using the unity plugin, it implicitly creates the required Unity
specific configuration attributes from the leftsubnet setting (this is
mostly what the unity plugin does as responder). So you can have
per-connection specific Split-Tunneling with IKEv1.

> I'd like to be able to give a different split config to a user
> depending on some criteria (e.g. per-user config or a flag in a radius
> database or such like).

There is currently no way to define the traffic selectors (leftsubnet)
over RADIUS that could by used by the Unity plugin to create the
Split-Include attributes.

Instead you could try to disable the unity plugin, and manually forward
Split-Include attributes that the RADIUS backend offers. Refer to [1]
for attributes that get forwarded during RADIUS authentication.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#RADIUS-attribute-forwarding