[strongSwan] separate routes for VPN and Internet traffic: can this form of "split tunneling" be configured in ipsec.conf?
noel at familie-kuntze.de
Sun May 31 17:31:25 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
IPsec on Linux nowadays is policy based, not route based.
You need to write bypass/passthrough policies that define what
traffic should not be subject to IPsec processing
Look at the test scenarios for that to get an idea on
how to define it.
Mit freundlichen Grüßen/Kind Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 31.05.2015 um 17:08 schrieb Alan Tu:
> Hello, I'm still new to ipsec VPNs and Strongswan, and I'd like to run
> the scenario by the group, with potentially a feature suggestion.
> I'm trying to implement what seems to be called split tunneling,
> without the cooperation or configuration of the remote VPN gateway.
> I'm a road warrior connecting to a VPN over the Internet, with the
> following pertinent configuration settings:
> conn vpn
> right=[public IP VPN gateway]
> Other users using proprietary VPN clients or VPNC still have their
> non-VPN-LAN traffic (browsing, etc) routed over the users' local WAN,
> but I noticed all of my Internet traffic was going through the VPN.
> According to the Strongswan split tunneling page , IKE v1 doesn't
> easily support split tunneling. But after reading and thinking, I
> realized altering the routing table might achieve the effect I want.
> Post-VPN routing table 220:
> $ ip route show table 220
> default via [WAN gateway IP] dev eth0 proto static src [VPN virtual
> private IP]
> So I did:
> # ip route add table 220 [VPN subnet] via [WAN gateway IP] dev eth0
> proto static src [VPN virtual private IP]
> This told the kernel, I hoped, to direct traffic going to the VPN
> subnet to the ipsec tunnel. XFRM policies and states would then take
> Next, I wanted to change the default route so that non-VPN traffic
> would go through the local WAN/Internet connection:
> # ip route change table 220 default via [WAN gateway IP] src [original eth0 IP]
> And so far, things seem to work the way I intend. I can still access
> the VPN subnet, but connections going to the Internet originate from
> my original network connection's address.
> Am I missing anything? And if this is a valid scenario, is there any
> way I can set this up more intuitively in ipsec.conf? And if not, I'm
> wondering if it might be beneficial to have the capability to
> configure a connection like this in ipsec.conf. Most of the variables
> are more easily available to the Strongswan daemon when a connection
> is brought up, and it would seemingly give users an easy way to
> configure a form of "split tunneling".
>  https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users