How to create a Split-Tunnel using StrongSwan IKEv2 in Ubuntu 18.04

Question

I have been trying to set up a Split Tunnel from my Ubuntu 18.04 Server (Client) to a Watchguard Firebox using StrongSwan IKEv2 protocol. In the end I will want this to be a Site-to-Site connection, but I am starting with just one side first.

I have been able to connect successfully to the Watchguard and given a IP address, but I do not want to have all traffic sent through the tunnel, just for certain subnets. I have added the routes via ip route add and while I have the connection up, if I have tcpdump running I can see that the traffic (192.168.1.0/24) is going through the interface I set up, but I do not get a response back. Any help would be greatly appreciated.

Here is the config file for IPSec.
I took out the server address and the username. Like I said, I have a successful connection. The rightsubnet is commented out as I want to define it via the ip route command. If I uncomment it and bring the connection up, I can successfully ping each subnet defined, but this does not split off the traffic, and eventually I will have rules in place to allow only certain devices access to the VPN.

conn dealers
  right=xxxxxxxx
  rightid="O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
  #rightsubnet=192.168.1.0/24,192.168.20.0/24,192.168.40.0/24,192.168.3.0/24,192.168.5.0/24
  rightauth=pubkey
  leftsourceip=%config
  leftid=xxxxxxxx
  leftauth=eap-mschapv2
  eap_identity=%identity
  auto=add

Here is my ip route table

default via 192.168.2.1 dev eth0 proto dhcp src 192.168.2.196 metric 100
10.0.10.0/24 via 192.168.115.1 dev dealers_tunnel 
192.168.1.0/24 via 192.168.115.1 dev dealers_tunnel 
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.196 
192.168.2.1 dev eth0 proto dhcp scope link src 192.168.2.196 metric 100 
192.168.115.0/24 dev dealers_tunnel proto kernel scope link src 192.168.115.29

I have a script that will connect the vpn and then set up the interface and add the routes. For testing I am only adding the 192.168.1.0/24 network.

#!/bin/bash
#
#./ikev2-up.sh
#
/usr/sbin/ipsec up dealers
ip tunnel add dealers_tunnel local 10.0.10.1 remote 192.168.115.29 mode are til 255
ip link set dealers_tunnel up
ip addr add 192.168.115.29/24 dev dealers_tunnel
ip route add 192.168.115.0/24 dev dealers_tunnel
ip route add 10.0.10.0/24 via 192.168.115.1 dev dealers_tunnel
ip route add 192.168.1.0/24 via 192.168.115.1 dev dealers_tunnel

I have not set up any rules yet in iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

I know there is something I'm missing, but just can't figure it out. Thanks again in advance for the help

Answer 1

If you configure rightsubnet=0.0.0.0/0 (assuming the peer allows this), you won't need a tunnel device if the peer also assigns a virtual IP address (requested by the client via leftsourceip=%config).

Just disable route installation by strongSwan via charon.install_routes in strongswan.conf and then install your own routes via custom updown script configured in leftupdown. Using an updown script is important because the virtual IP address will not be known to the client beforehand. Only packets from that virtual IP will match the IPsec policies and get tunneled, so it's important to enforce this via source routes.

For instance, to tunnel traffic to 192.168.115.0/24 you'd use something like the following script (by default, strongSwan installs routes in table 220 to avoid conflicts with routes in the main table, so I'll use the same here):

#!/bin/bash
set -o nounset
set -o errexit
case "${PLUTO_VERB}" in
    up-client)
        ip route add 192.168.115.0/24 dev "${PLUTO_INTERFACE}" src "${PLUTO_MY_SOURCEIP}" table 220
        ;;
    down-client)
        ip route del 192.168.115.0/24 table 220
        ;;
esac