[strongSwan] Split Tunnel Not Working
david at fz1.org
Sun Jan 11 01:24:06 CET 2015
I’m trying to set up what should be a simple split tunnel configuration and am having issues. The client is on a NAT subnet so I have leftsubnet=192.168.1.0/24. I want everything except traffic for the LAN to go out the IPsec tunnel so I have rightsubnet=0.0.0.0/0. The tunnel comes up fine but _all_ traffic goes out the tunnel, even traffic destined for 192.168.1.0/24. If I try to ping some other host on the local subnet I can see the ICMP request on the VPN server where it shouldn’t be. The VPN server can (as expected) send an ICMP to a host on the LAN. I’ve tried both with and without lefthostaccess=yes (which I though would basically control split tunneling).
Both servers are Debian Wheezy using the Strongswan 4.X packages. I can try the Strongswan 5.X packages from back ports but my impression is that this should work just fine. It’s not a complex configuration so I’m kind of stumped as to why it’s not working. I’m thinking that if I use ‘setkey -DP’ on the client I should see a rule matching 192.168.1.0/24 - 192.168.1.0/24 to keep the local traffic out of the tunnel? Or is there some other method I should be checking? Any advice would be appreciated. Thanks,
On the server:
On the client:
More information about the Users