Hi,
I’m trying to configure a Linux machine to act as an IPSec VPN gateway, with the first supported clients being Mac OS X road warriors. I want to support split tunneling at the client as I only want traffic destined to certain subnets to be routed to the StrongSwan VPN GW. The VPN GW software versions: StrongSwan: 5.2.0-7.el6 Centos 6.6: Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Initial Mac OS X version supported is 10.10. I read here<https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling> that the Cisco Unity plugin is needed to support split tunneling for Mac OS X clients using IKEv1. When I configure strongswan.conf like this: -bash-4.1# cat strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } cisco_unity = yes } include strongswan.d/*.conf Restart the service: -bash-4.1# strongswan restart Stopping strongSwan IPsec... Starting strongSwan 5.2.0 IPsec [starter]... I do NOT see unity in the list of plugins: Jan 26 23:18:43 ip-10-8-64-4 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp When I connect to the VPN GW, it does NOT split tunnel. What am I missing? Is there some other library/RPM required? I installed StrongSwan like this: $ sudo yum install strongswan Loaded plugins: fastestmirror, presto Setting up Install Process Loading mirror speeds from cached hostfile * epel: mirror.symnds.com<http://mirror.symnds.com> centos | 3.7 kB 00:00 centos/primary_db | 4.6 MB 00:00 Resolving Dependencies --> Running transaction check ---> Package strongswan.x86_64 0:5.2.0-7.el6 will be installed --> Processing Dependency: libtspi.so.1()(64bit) for package: strongswan-5.2.0-7.el6.x86_64 --> Running transaction check ---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================= Package Arch Version Repository Size ================================================================================================================================================= Installing: strongswan x86_64 5.2.0-7.el6 epel 923 k Installing for dependencies: trousers x86_64 0.3.13-2.el6 centos 277 k Transaction Summary ================================================================================================================================================= Install 2 Package(s) Total download size: 1.2 M Installed size: 3.4 M Is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata Processing delta metadata Package(s) data still to download: 1.2 M (1/2): strongswan-5.2.0-7.el6.x86_64.rpm | 923 kB 00:00 (2/2): trousers-0.3.13-2.el6.x86_64.rpm | 277 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.9 MB/s | 1.2 MB 00:00 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Importing GPG key 0x0608B895: Userid : EPEL (6) <[email protected]<mailto:[email protected]>> Package: epel-release-6-8.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : trousers-0.3.13-2.el6.x86_64 1/2 Installing : strongswan-5.2.0-7.el6.x86_64 2/2 Verifying : trousers-0.3.13-2.el6.x86_64 1/2 Verifying : strongswan-5.2.0-7.el6.x86_64 2/2 Installed: strongswan.x86_64 0:5.2.0-7.el6 Dependency Installed: trousers.x86_64 0:0.3.13-2.el6 Complete! Finally, I saw Bug #737<https://wiki.strongswan.org/issues/737>. Does this mean I must move to StrongSwan 5.2.2 to support Mac OS X split tunneling or has it been back ported to earlier releases? StrongSwan 5.2.2 look like is only available as RPM on Fedora Rawhide (of the RHEL/Centos distributions) so would need to build from sources for Centos 6? Is easy to support split tunneling using a third-party Mac OS X client instead of the native one? Thanks for any help, Ken <https://wiki.strongswan.org/issues/737>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
