[strongSwan] Split Tunnel Not Working

Noel Kuntze noel at familie-kuntze.de
Sun Jan 11 02:37:24 CET 2015

Hash: SHA256

Hello David,

You have fallen for a misconception.
The leftsubnet parameter controls what source addresses in an IP packet are valid for tunneling.
The rightsubnet parameter controls what destination addresses in an IP packet are valid for tunneling.
Those two constraints are used to find out what packets should go through the tunnel by checking
the source and destination and seeing if both match.

So your configuration tells your client to tunnel any packets whose source is in the subnet
and the destination is in the subnet (any IP address).

What you want is a passthrough policy with source and destination being
That policy with narrower subnets will take precedence before the policy that is defined by
your "toclient" connection definition.

conn lanbypass

Split tunneling does not involve "lefthostaccess" or any other such things.
Split tunneling can be done by two things:
    *Defining your leftsubnet and rightsubnet definitions so they do not cover
      the subnet you want to exclude.
    *Push or locally define such passthrough policies. (Can be done using the attr or attr-sql plugin)

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 11.01.2015 um 01:24 schrieb David Mitchell:
> Greetings,
> I’m trying to set up what should be a simple split tunnel configuration and am having issues. The client is on a NAT subnet so I have leftsubnet= I want everything except traffic for the LAN to go out the IPsec tunnel so I have rightsubnet= The tunnel comes up fine but _all_ traffic goes out the tunnel, even traffic destined for If I try to ping some other host on the local subnet I can see the ICMP request on the VPN server where it shouldn’t be. The VPN server can (as expected) send an ICMP to a host on the LAN. I’ve tried both with and without lefthostaccess=yes (which I though would basically control split tunneling).
> Both servers are Debian Wheezy using the Strongswan 4.X packages. I can try the Strongswan 5.X packages from back ports but my impression is that this should work just fine. It’s not a complex configuration so I’m kind of stumped as to why it’s not working. I’m thinking that if I use ‘setkey -DP’ on the client I should see a rule matching - to keep the local traffic out of the tunnel? Or is there some other method I should be checking? Any advice would be appreciated. Thanks,
> -David Mitchell
> On the server:
> conn toclient
>         keyexchange=ikev2
>         left=
>         leftid=
>         leftcert=serverCert.der
>         leftsubnet=
>         rightcert=clientCert.pem
>         right=%any
>         # righthostaccess=yes
>         rightsubnet=
>         auto=add
> On the client:
> conn toserver
>         keyexchange=ikev2
>         right=
>         rightcert=serverCert.der
>         rightsubnet=
>         leftsubnet=
>         leftcert=clientCert.pem
>         # lefthostaccess=yes
>         auto=add
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list