I'm trying to solve an issue with some Mac users that are having problems with our tunnel all config on AnyConnect (we must use tunnel all for our AnyConnect VPN users for various reasons). The Mac users aren't necessarily under this constraint so could have tunnel all turned off. However, there doesn't seem to be a way to do this with AnyConnect (I tried checking if I could create separate profiles for them but didn't see a way to accomplish this). 

This leaves setting up IPSec VPN for them to use. However, after setting IPSec up, I could not get it to connect with AnyConnect still installed on the Macbooks (there is the Socket Filter and other utilities that can't be turned off--or just turn themselves right back on if disabled--not sure if this is why) but once AnyConnect was fully uninstalled, the IPSec tunnel works. I thought this might be the answer since in the Options settings for the VPN, there is the option to "send all traffic over VPN" which can be turned on and off. But when I try this, it doesn't seem to allow any traffic to the LAN to connect when "send all traffic over VPN" is turned off.  

What traffic should be sent over the VPN if "send all traffic over VPN" is unchecked? It seems like when I uncheck the "Send all traffic" checkbox, I cannot reach anything on the LAN when the VPN is connected. I can't ping, nslookup, or reach any intranet sites or anything. When "send all traffic" is checked, I can reach everything on the LAN fine. 

Is there some way to either turn of send all traffic with AnyConnect for just "some" users, or is there some way to determine what traffic is sent over the VPN when IPSEC VPN is connected and "send all traffic over VPN" is un-checked?

Thanks.