[strongSwan] separate routes for VPN and Internet traffic: can this form of "split tunneling" be configured in ipsec.conf?

Alan Tu 8libra at gmail.com
Sun May 31 17:08:02 CEST 2015 

Hello, I'm still new to ipsec VPNs and Strongswan, and I'd like to run
the scenario by the group, with potentially a feature suggestion.

I'm trying to implement what seems to be called split tunneling,
without the cooperation or configuration of the remote VPN gateway.

I'm a road warrior connecting to a VPN over the Internet, with the
following pertinent configuration settings:
conn vpn
    type=tunnel
    keyexchange=ikev1
    aggressive=yes
    left=%any
    leftsourceip=%modeconfig
    right=[public IP VPN gateway]
    rightsubnet=0.0.0.0/0

Other users using proprietary VPN clients or VPNC still have their
non-VPN-LAN traffic (browsing, etc) routed over the users' local WAN,
but I noticed all of my Internet traffic was going through the VPN.
According to the Strongswan split tunneling page [1], IKE v1 doesn't
easily support split tunneling. But after reading and thinking, I
realized altering the routing table might achieve the effect I want.

Post-VPN routing table 220:
$ ip route show table 220
default via [WAN gateway IP] dev eth0  proto static  src [VPN virtual
private IP]

So I did:
# ip route add table 220 [VPN subnet] via [WAN gateway IP] dev eth0
proto static src [VPN virtual private IP]

This told the kernel, I hoped, to direct traffic going to the VPN
subnet to the ipsec tunnel. XFRM policies and states would then take
over.

Next, I wanted to change the default route so that non-VPN traffic
would go through the local WAN/Internet connection:
# ip route change table 220 default via [WAN gateway IP] src [original eth0 IP]

And so far, things seem to work the way I intend. I can still access
the VPN subnet, but connections going to the Internet originate from
my original network connection's address.

Am I missing anything? And if this is a valid scenario, is there any
way I can set this up more intuitively in ipsec.conf? And if not, I'm
wondering if it might be beneficial to have the capability to
configure a connection like this in ipsec.conf. Most of the variables
are more easily available to the Strongswan daemon when a connection
is brought up, and it would seemingly give users an easy way to
configure a form of "split tunneling".

Alan

Note:
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

More information about the Users mailing list