[strongSwan] local_ts/remote_ts (split tunneling) trouble

Constantin Jacob cjacob at fastmail.com
Mon Feb 17 11:39:24 CET 2020


I have carefully read through previous archived posts on here about this topic and have also made it all the way to page 10 in Google search before giving up. So far I wasn't able to find anything that was able to help me.

I am trying to setup split tunneling in swanctl.conf server side, so on the responder end. I am struggling a bit with the terminology but I get better, please correct if I am wrong. The initiator is an iPhone running iOS 13.3.

In a previous E-Mail thread here I have stumbled onto this which has helped me in many ways:

The leftsubnet parameter controls what source addresses in an IP packet are valid for tunneling.
The rightsubnet parameter controls what destination addresses in an IP packet are valid for tunneling.
Those two constraints are used to find out what packets should go through the tunnel by checking
the source and destination and seeing if both match.

I had a base config that is working great with my iPhone but it sends everything through the tunnel, with local_ts set to
In order to get my feet wet I figured I try to remove everything but the IP of my own web server and go from there, since I could watch the access logs and see the IP there as a form of verification (I have another server in another range that was watching as well). Setting that IP range in remote_ts leads to the iPhone being unable to establish any internet connections anymore

This is my current config. Commenting out the remote_ts line leads to a perfectly working connection again.

connections {
        ikev2_iphoneos {
                version = 2
                proposals = aes256-sha384-ecp384,default
                rekey_time = 0s
                pools = dhcp_ipv4
                fragmentation = yes
                mobike = yes
                encap = yes
                send_cert = always
                dpd_delay = 90s
                local {
                        cert_gateway {
                                file = .crt
                        id = 
                remote {
                        auth = eap-mschapv2
                        eap_id = %any
                children {
                        ikev2_iphoneos {
                                mode = tunnel
                                local_ts =
                                remote_ts =,
                                rekey_time = 0s
                                dpd_action = clear
                                esp_proposals = aes256gcm16-ecp384,default
pools {
        dhcp_ipv4 {
                addrs =
                dns =,
secrets {
        ecdsa_gateway {
                id = 
                file = .key

I then tried setting local_ts to the public IPv4 address of my server which leads to a perfectly working connection but effectively nothing being tunneled anymore. My guess right now is that local_ts is always wrong and I can't use since that would mean everything. I have tried setting it to the virtual IP range but that leads to errors being thrown server side (responder) while establishing the connection.

Thank you very much for any help in advance!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200217/1ea2b6fd/attachment-0001.html>

More information about the Users mailing list