[strongSwan] separate routes for VPN and Internet traffic: can this form of "split tunneling" be configured in ipsec.conf?
Alan Tu
8libra at gmail.com
Sun May 31 17:08:02 CEST 2015
Hello, I'm still new to ipsec VPNs and Strongswan, and I'd like to run
the scenario by the group, with potentially a feature suggestion.
I'm trying to implement what seems to be called split tunneling,
without the cooperation or configuration of the remote VPN gateway.
I'm a road warrior connecting to a VPN over the Internet, with the
following pertinent configuration settings:
conn vpn
type=tunnel
keyexchange=ikev1
aggressive=yes
left=%any
leftsourceip=%modeconfig
right=[public IP VPN gateway]
rightsubnet=0.0.0.0/0
Other users using proprietary VPN clients or VPNC still have their
non-VPN-LAN traffic (browsing, etc) routed over the users' local WAN,
but I noticed all of my Internet traffic was going through the VPN.
According to the Strongswan split tunneling page [1], IKE v1 doesn't
easily support split tunneling. But after reading and thinking, I
realized altering the routing table might achieve the effect I want.
Post-VPN routing table 220:
$ ip route show table 220
default via [WAN gateway IP] dev eth0 proto static src [VPN virtual
private IP]
So I did:
# ip route add table 220 [VPN subnet] via [WAN gateway IP] dev eth0
proto static src [VPN virtual private IP]
This told the kernel, I hoped, to direct traffic going to the VPN
subnet to the ipsec tunnel. XFRM policies and states would then take
over.
Next, I wanted to change the default route so that non-VPN traffic
would go through the local WAN/Internet connection:
# ip route change table 220 default via [WAN gateway IP] src [original eth0 IP]
And so far, things seem to work the way I intend. I can still access
the VPN subnet, but connections going to the Internet originate from
my original network connection's address.
Am I missing anything? And if this is a valid scenario, is there any
way I can set this up more intuitively in ipsec.conf? And if not, I'm
wondering if it might be beneficial to have the capability to
configure a connection like this in ipsec.conf. Most of the variables
are more easily available to the Strongswan daemon when a connection
is brought up, and it would seemingly give users an easy way to
configure a form of "split tunneling".
Alan
Note:
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
More information about the Users
mailing list