How to configure strongswan (IPsec) to forward traffic only for specific subnet?

Question

I need to forward traffic from clients to a VPN server only for specific subnet i.e. 10.10.10.0/24

For example, if clients send requests to 123.123.123.123 then they will use their own Internet. If clients send requests to 10.10.10.123 then they will use a VPN connection.

Is it possible to configure with strongswan? Right now all traffic from clients are proxied through the VPN server. Here is my strongswan configuration:

config setup
    uniqueids=no
    charondebug = ike 3, cfg 3

conn %default
    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    compress=yes

    ### left - local (server) side
    # filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0

    ### right - remote (client) side
    eap_identity=%identity
    rightsourceip=10.10.11.0/24,2a00:1450:400c:c05::/112
    rightdns=8.8.8.8,2001:4860:4860::8888

conn ikev2-mschapv2
    rightauth=eap-mschapv2

conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=mydomain.com

Answer 1

I am a newbie in VPN configurations.
I just tried to change leftsubnet to 10. 10.10.0/24 and now it works. Only traffic to 10. 10.10.0/24 is forwarded to the VPN server.

Answer 2

Unfortunately you can't. You have to configure the clients instead.

What I do is create a script in the client end in /etc/ppp/ip-up like this:

/sbin/route add 172.31.0.0/16 $5

$5 expands to the IP address of the VPN gateway when you're connected