I think I would block that with an ACL. Depending on the device, it is done differently. For example, the ASA permits IPSEC inherently in most configs. To disable that, you would enter "no sysopt connection permit-vpn". After that, the acl rules will apply. In IOS, it is different depending on the code version and method for deploying the VPN client. For example, with VTI, you could apply an ACL to the tunnel interface.
You can also filter via ACL in IOS. It is just done differently depending on the code version. In new code, it is best to do with VTI. I understand that you want to build a split tunnel acl based on ports and generally you don't want to build sa's at the port level.
To answer your question, I don't know if the VPN Client would register that or not. So unfortunately, I don't know. The reason it is generally not a good idea is each logical line in the acl would become an SA relationship. In other words, you can consume resources with a lot of SA's.
Basically, I define in the SA's the communication I want to encrypt, then define in an acl what I want to block. I never get down to a protocol or port level in SA definition. Really, that is what the split tunnel acl is doing is defining the SA.
I know that's not an answer to your question. If I get an opportunity to try it, I will post back with the results.
Also, one more note. The split acl affects the routing table on the client PC. The route table is not per port. That doesn't mean that it couldn't work, but it would simply drop the traffic that wasn't destined to the defined port if everything else worked.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...