Hey,
I have carefully read through previous archived posts on here about this topic
and have also made it all the way to page 10 in Google search before giving up.
So far I wasn't able to find anything that was able to help me.
I am trying to setup split tunneling in swanctl.conf server side, so on the
responder end. I am struggling a bit with the terminology but I get better,
please correct if I am wrong. The initiator is an iPhone running iOS 13.3.
In a previous E-Mail thread here I have stumbled onto this which has helped me
in many ways:
The leftsubnet parameter controls what source addresses in an IP packet are
valid for tunneling.
The rightsubnet parameter controls what destination addresses in an IP packet
are valid for tunneling.
Those two constraints are used to find out what packets should go through the
tunnel by checking
the source and destination and seeing if both match.
I had a base config that is working great with my iPhone but it sends
everything through the tunnel, with local_ts set to 0.0.0.0/0.
In order to get my feet wet I figured I try to remove everything but the IP of
my own web server and go from there, since I could watch the access logs and
see the IP there as a form of verification (I have another server in another
range that was watching as well). Setting that IP range in remote_ts leads to
the iPhone being unable to establish any internet connections anymore
This is my current config. Commenting out the remote_ts line leads to a
perfectly working connection again.
connections {
ikev2_iphoneos {
version = 2
proposals = aes256-sha384-ecp384,default
rekey_time = 0s
pools = dhcp_ipv4
fragmentation = yes
mobike = yes
encap = yes
send_cert = always
dpd_delay = 90s
local {
cert_gateway {
file = .crt
}
id =
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
ikev2_iphoneos {
mode = tunnel
local_ts = 0.0.0.0/0
remote_ts = 212.12.47.1/29, 8.8.0.0/16
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256gcm16-ecp384,default
}
}
}
}
pools {
dhcp_ipv4 {
addrs = 10.99.0.0/16
dns = 8.8.4.4, 8.8.8.8
}
}
secrets {
ecdsa_gateway {
id =
file = .key
}
}
I then tried setting local_ts to the public IPv4 address of my server which
leads to a perfectly working connection but effectively nothing being tunneled
anymore. My guess right now is that local_ts is always wrong and I can't use
0.0.0.0/0 since that would mean everything. I have tried setting it to the
virtual IP range but that leads to errors being thrown server side (responder)
while establishing the connection.
Thank you very much for any help in advance!
Best
CJ
