We've setup a ikev2 VPN server with this tutorial, everything works. The only issue is we don't want client to route all traffic using this VPN, only a particular ip addresses.
So, it is possible to configure for the client automatically for the ip-address "173.194.44.71, 173.194.44.65" to etc?
In the terminology of strongswan, "left" is is the server and "right" is the client. "leftsubnet" is what you want to modify. "0.0.0.0/0" matches the entire internet so any connecting client will try to send any internet-bound traffic over the VPN connection, which is evidently not what you want.
You can route multiple server side IPs by defining them as separate conn blocks, and removing the leftsubnet line entirely (or narrowing its definition)...
conn ikev2-vpn-1
left=%any
leftid=173.194.44.71/32
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
conn ikev2-vpn-2
left=%any
leftid=173.194.44.65/32
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
The blocks definitely don't need all that but I don't have a strongswan box around to play with, but that's the idea. Any connecting client will get an ip from 10.10.10.0/24 and a route to 173.194.44.65/32 and 173.194.44.71/32 over the VPN and use the routes it already had for everything else...
I hope this helps.
