Hi Tobias, > I could nail down the tunnel traffic by adding just the 192.168.200.1/24 > as remote/right network on the Draytek config, but then I am not able to > process the occasional traffic to the internet (if routing from a > certain source via the tunnel is enabled on the Draytek) without a lot > of manual modifications (iptables, ip xfrm policies).
Correct, you'll only be able to tunnel traffic that matches the traffic selectors/IPsec policies. If you don't know what traffic that is beforehand, you might want to look into route-based VPNs [1], where the traffic selectors are 0.0.0.0/0 on both ends and tunneled traffic is determined via routing. You then just have to avoid that the Draytek router automatically routes everything via VPN if such traffic selectors are negotiated. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
