I got split tunneling to work. I have an aesthetics question remaining.
My network is a-typical in that remote sites live on a private mpls-vpn network ie they don't have a proper internet connection.
So I had to define 3 rules in the following sequence :
1. a dhcp permit rule
2. a " src-nat route " rule for all destinations local to the RAP
3. a fallthrough rule that 'permits' all remaining traffic over the ipsec tunnel toward HQ
Now for the question : I want to configure splittunneling for 13 sites with a minimum of configuration.
The "src-nat route" expects a "network alias", which means I have 13 separate policies to define, followed by 13 separate roles, 13 aaa profiles etc
Is it possible to replace the explicit "network alias" with a "reference" to the network where 'this' RAP happens to live, which would make that rule dynamic, and clean up the config.
thx
Ward