I was able to get split-tunneling to work for Mac OS X clients, although it was
not very easy or straight-forward. This mail documents the configuration in
the event someone else might want to do this and asks the mailing list if there
is a better way or if there are any down-sides of this configuration. This
configuration was pieced together by doing quite a bit of googling as the
StrongSwan documentation in this area is terse (or I missed the Unity attribute
documentation).
One downside to this configuration I read is that all connections would get the
DNS server address and that is could be more flexibly assigned using rightdns
in ipsec.conf on a per connection basis. However, I did not see any way in
ipsec.conf to set the DNS search domain along with the server address.
The “cisco_unity = yes” attribute was set in strongswan.d/charon.conf.
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
attr {
# Cisco Unity plugin attributes for IKEv1
split-include = 10.8.64.0/23 # Send only traffic destined to
leftsubnet to the tunnel interface
split-exclude = 0.0.0.0/0 # Mac OS X client responsible for
routing all non-tunnel traffic elsewhere
dns = 10.8.65.164 # DNS server in leftsubnet
28674 = xyz.internal # UNITY_DEF_DOMAIN attribute to set
DNS search domain
}
}
}
#
# Enable the Cisco Unity plugin by adding the following line
# in strongswan.d/charon.conf, if it is not already
#
# cisco_unity = yes
#
include strongswan.d/*.conf
On Jan 26, 2015, at 4:39 PM, Ken Nelson
<[email protected]<mailto:[email protected]>> wrote:
Hi,
I’m trying to configure a Linux machine to act as an IPSec VPN gateway, with
the first supported clients being Mac OS X road warriors. I want to support
split tunneling at the client as I only want traffic destined to certain
subnets to be routed to the StrongSwan VPN GW.
The VPN GW software versions:
StrongSwan: 5.2.0-7.el6
Centos 6.6: Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
Initial Mac OS X version supported is 10.10.
I read here that the Cisco Unity plugin is needed to support split tunneling
for Mac OS X clients using IKEv1.
When I configure strongswan.conf like this:
-bash-4.1# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
cisco_unity = yes
}
include strongswan.d/*.conf
Restart the service:
-bash-4.1# strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.2.0 IPsec [starter]...
I do NOT see unity in the list of plugins:
Jan 26 23:18:43 ip-10-8-64-4 charon: 00[LIB] loaded plugins: charon curl aes
des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey
pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity
eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap
xauth-pam xauth-noauth dhcp
When I connect to the VPN GW, it does NOT split tunnel. What am I missing? Is
there some other library/RPM required? I installed StrongSwan like this:
$ sudo yum install strongswan
Loaded plugins: fastestmirror, presto
Setting up Install Process
Loading mirror speeds from cached hostfile
* epel:
mirror.symnds.com<http://mirror.symnds.com>
centos
| 3.7 kB 00:00
centos/primary_db
| 4.6 MB 00:00
Resolving Dependencies
--> Running transaction check
---> Package strongswan.x86_64 0:5.2.0-7.el6 will be installed
--> Processing Dependency: libtspi.so.1()(64bit) for package:
strongswan-5.2.0-7.el6.x86_64
--> Running transaction check
---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================
Package Arch Version
Repository Size
=================================================================================================================================================
Installing:
strongswan x86_64
5.2.0-7.el6 epel 923 k
Installing for dependencies:
trousers x86_64
0.3.13-2.el6 centos 277 k
Transaction Summary
=================================================================================================================================================
Install 2 Package(s)
Total download size: 1.2 M
Installed size: 3.4 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.2 M
(1/2): strongswan-5.2.0-7.el6.x86_64.rpm
| 923 kB 00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm
| 277 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------
Total
3.9 MB/s | 1.2 MB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895:
NOKEY
Retrieving key from
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <
[email protected]
>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : trousers-0.3.13-2.el6.x86_64
1/2
Installing : strongswan-5.2.0-7.el6.x86_64
2/2
Verifying : trousers-0.3.13-2.el6.x86_64
1/2
Verifying : strongswan-5.2.0-7.el6.x86_64
2/2
Installed:
strongswan.x86_64 0:5.2.0-7.el6
Dependency Installed:
trousers.x86_64 0:0.3.13-2.el6
Complete!
Finally, I saw Bug #737. Does this mean I must move to StrongSwan 5.2.2 to
support Mac OS X split tunneling or has it been back ported to earlier
releases? StrongSwan 5.2.2 look like is only available as RPM on Fedora
Rawhide (of the RHEL/Centos distributions) so would need to build from sources
for Centos 6? Is easy to support split tunneling using a third-party Mac OS X
client instead of the native one?
Thanks for any help,
Ken
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
