Strongswan nem todo tráfego é criptografado

Configurei o strongswan com o roteador Cisco com a seguinte configuração:

config setup
    uniqueids=never

ca default_ca
    auto=add

conn %default
    keyexchange=ikev1
    type=tunnel
    left=%any
    auto=add
    dpdaction=clear
    margintime=0s
    rekeyfuzz=20%
conn cisco-ezvpn
    keyexchange=ikev1
    left=10.0.1.2
    leftid=lab
    leftsourceip=%config
    leftfirewall=yes
    right=10.0.1.1
    rightsubnet=0.0.0.0/0
    xauth_identity=test
    auto=add
    leftauth2=xauth
    xauth=client
    aggressive=yes
    leftauth=psk
    rightauth=psk
    ikelifetime=86000s
    lifetime=86000s
    ike=aes256-sha256-ecp256
    esp=aes256-sha256

Mas não achei todo o tráfego criptografado.

• Se algum programa, como o ssh, já estiver conectado ao servidor remoto antes de ipsec up, essas conexões não serão usadas túnel VPN, pode be see da saída do tcpdump:

[root@lorawan ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:17:54.407463 IP 10.0.1.1 > 10.0.1.2: ESP(spi=0xc0920b53,seq=0x4a), length 184 22:17:59.454819 IP 10.0.1.2 > 10.0.1.1: ESP(spi=0x3ec810fd,seq=0x97), length 120 22:17:59.455637 IP 10.0.1.1 > 10.0.1.2: ESP(spi=0xc0920b53,seq=0x4c), length 104 22:17:59.455637 IP 10.0.1.1 > 10.10.0.0: ICMP 10.0.1.1 udp port domain unreachable, length 36 22:17:59.455787 IP 10.0.1.2 > 10.0.1.1: ESP(spi=0x3ec810fd,seq=0x98), length 120 22:18:01.000771 STP 802.1d, Config, Flags [none], bridge-id 8000.80:e0:1d:66:2f:a2.8001, length 43 22:18:03.000814 STP 802.1d, Config, Flags [none], bridge-id 8000.80:e0:1d:66:2f:a2.8001, length 43 22:18:04.738096 IP 10.0.1.2.33457 > 10.0.1.1.5888: Flags [P.], seq 4216930160:4216930182, ack 50432821, win 17584, length 22 22:18:04.738618 IP 10.0.1.1.5888 > 10.0.1.2.33457: Flags [.], seq 1:27, ack 22, win 3446, length 26 22:18:04.738679 IP 10.0.1.2.33457 > 10.0.1.1.5888: Flags [.], ack 27, win 17584, length 0

A interface padrão: eth0, ainda pode ser acessada pelo processo de hosts externos, por exemplo, ssh:

[root@lorawan ~]# tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:24:28.021347 IP 10.0.1.2 > 10.0.1.1: ESP(spi=0x3ec810fd,seq=0xa9), length 120 22:24:28.169729 IP 10.0.1.1.36550 > 10.0.1.2.ssh: Flags [P.], seq 156:208, ack 825, win 2944, length 52 22:24:28.170144 IP 10.0.1.2.ssh

10.0.1.1.36550: Flags [P.], seq 825:893, ack 208, win 16616, length 68 22:24:28.370727 IP 10.0.1.1.36550 > 10.0.1.2.ssh: Flags [.], ack 893, win 2876, length 0

E meu redirecionamento do iptables parece OK:

[root@lorawan ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.10.0.0            policy match dir in pol ipsec reqid 1 proto esp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.10.0.0            policy match dir in pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.10.0.0            anywhere             policy match dir out pol ipsec reqid 1 proto esp
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.10.0.0            anywhere             policy match dir out pol ipsec reqid 1 proto esp

A minha pergunta é: existe alguma maneira de encaminhar "todo o tráfego" para a VPN?