[strongSwan] Split Tunnel Not Working
David Mitchell
david at fz1.org
Sun Jan 11 01:24:06 CET 2015
Greetings,
I’m trying to set up what should be a simple split tunnel configuration and am having issues. The client is on a NAT subnet so I have leftsubnet=192.168.1.0/24. I want everything except traffic for the LAN to go out the IPsec tunnel so I have rightsubnet=0.0.0.0/0. The tunnel comes up fine but _all_ traffic goes out the tunnel, even traffic destined for 192.168.1.0/24. If I try to ping some other host on the local subnet I can see the ICMP request on the VPN server where it shouldn’t be. The VPN server can (as expected) send an ICMP to a host on the LAN. I’ve tried both with and without lefthostaccess=yes (which I though would basically control split tunneling).
Both servers are Debian Wheezy using the Strongswan 4.X packages. I can try the Strongswan 5.X packages from back ports but my impression is that this should work just fine. It’s not a complex configuration so I’m kind of stumped as to why it’s not working. I’m thinking that if I use ‘setkey -DP’ on the client I should see a rule matching 192.168.1.0/24 - 192.168.1.0/24 to keep the local traffic out of the tunnel? Or is there some other method I should be checking? Any advice would be appreciated. Thanks,
-David Mitchell
On the server:
conn toclient
keyexchange=ikev2
left=1.1.1.1
leftid=1.1.1.1
leftcert=serverCert.der
leftsubnet=0.0.0.0/0
rightcert=clientCert.pem
right=%any
# righthostaccess=yes
rightsubnet=192.168.1.0/24
auto=add
On the client:
conn toserver
keyexchange=ikev2
right=1.1.1.1
rightcert=serverCert.der
rightsubnet=0.0.0.0/0
leftsubnet=192.168.1.0/24
leftcert=clientCert.pem
# lefthostaccess=yes
auto=add
More information about the Users
mailing list