Re: [strongSwan] Strongswan + OS X (Cisco IPsec) + default route?

Fri, 24 Aug 2012 04:08:13 -0700 

Hi Ben,
In your search for a cleaner way, almost anything will probably be cleaner than 
the default activity, which seems to be to add an individual route for every 
other IP address you try to connect to. After a minute or so, this is the top 
of my routing table :
Destination        Gateway            Flags        Refs      Use   Netif 
Expiredefault            utun0              UCS            16        0   
utun0default            192.168.1.10       UGScI          12        0     
en110.66.0.2          utun0              UHWIi          25      211   
utun010.66.2.2         utun0              UHW3Ii          0        9   
utun010.66.3.78         utun0              UHW3Ii          0        9   
utun010.66.4.147        utun0              UHW3Ii          0        9   
utun010.66.54.21       utun0              UHWIi           2       49   
utun010.100.255.1       10.100.255.1       UH              1       36   
utun017.72.255.11       utun0              UHWIi           1        3   
utun065.55.223.14       utun0              UHW3Ii          0        3   
utun093.97.103.209      utun0              UHW3Ii          0        6   utun0   
   8111.221.74.14      utun0              UHW3Ii          0        3   utun0    
  3111.221.74.27      utun0              UHW3Ii          0        6   utun0127  
              127.0.0.1          UCS             0        0     lo0127.0.0.1    
      127.0.0.1          UH              4    22033     lo0157.55.56.145      
utun0              UHW3Ii          0        3   utun0157.55.130.143     utun0   
           UHW3Ii          0        3   utun0157.55.130.157     utun0           
   UHWIi           1        2   utun0157.55.235.142     utun0              
UHW3Ii          0        3   utun0157.56.52.15       utun0              UHW3Ii  
        0        3   utun0......
The original default route is still there (192.168.1.10), but the other one 
comes first, so gets used.Then every other host I connect to whether on a 
private or public subnet, gets a new entry. I don't think there is anything 
that times them out either. So after a few hours, you're going to have a 
massive routing table and I would expect the machine would slow down a bit.
My organisation are 100% mac based and we wanted a split VPN with direct 
internet access and access to a private network over VPN. I have a StrongSwan 
config that does that fine on Windows/Linux but everything goes over the VPN on 
OSX. :-(You might want to consider tunnelblick and OpenVPN instead of IPsec 
VPNs for OSX. Unfortunately that's not available for iPhone/iPad users.
If the Cisco extensions could help, then I'll add a +1 to that feature request 
;-)
Max



> From: [email protected]
> To: [email protected]
> Date: Fri, 24 Aug 2012 10:44:05 +0200
> CC: [email protected]
> Subject: Re: [strongSwan] Strongswan + OS X (Cisco IPsec) + default route?
> 
> Hi Ben,
> 
> > I've found a few hacks that require installing custom applescript to
> > override the default route, but I'm hoping there's a cleaner, better
> > way. Any suggestions?
> 
> The best way to set up split tunneling with OS X is to use the Cisco
> Unity extensions. These allow you to define (on the responder) which
> subnets to include into the tunnel, but we currently don't support them.
> We might bring support for it in a future release, but not sure yet when
> this will happen.
> 
> Regards
> Martin
> 
> 
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users
                                          
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to