<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Hi,
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I’m trying to configure a Linux machine to act as an IPSec VPN gateway, with the first supported clients being Mac OS X road warriors. I want to support split tunneling at the client as I only want traffic destined to certain subnets to be routed
to the StrongSwan VPN GW.</div>
<div class=""><br class="">
</div>
<div class="">The VPN GW software versions:<br class="">
StrongSwan: 5.2.0-7.el6<br class="">
Centos 6.6: Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux<br class="">
<br class="">
<div class="">Initial Mac OS X version supported is 10.10.</div>
<div class=""><br class="">
</div>
<div class="">I read <a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" class="">here</a> that the Cisco Unity plugin is needed to support split tunneling for Mac OS X clients using IKEv1.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">When I configure strongswan.conf like this:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
-bash-4.1# cat strongswan.conf </div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
# strongswan.conf - strongSwan configuration file</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
#</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
# Refer to the strongswan.conf(5) manpage for details</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
#</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
# Configuration changes should be made in the included files</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227); min-height: 14px;" class="">
<br class="">
</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
charon {</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
<span class="Apple-tab-span" style="white-space:pre"></span>load_modular = yes</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
<span class="Apple-tab-span" style="white-space:pre"></span>plugins {</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
<span class="Apple-tab-span" style="white-space:pre"></span>include strongswan.d/charon/*.conf</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
<span class="Apple-tab-span" style="white-space:pre"></span>}</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
cisco_unity = yes</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
}</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227); min-height: 14px;" class="">
<br class="">
</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
include strongswan.d/*.conf</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Restart the service:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
-bash-4.1# strongswan restart</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Stopping strongSwan IPsec...</div>
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Starting strongSwan 5.2.0 IPsec [starter]...</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I do NOT see unity in the list of plugins:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-family: Courier; background-color: rgb(226, 225, 227);" class="">
Jan 26 23:18:43 ip-10-8-64-4 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">When I connect to the VPN GW, it does NOT split tunnel. What am I missing? Is there some other library/RPM required? I installed StrongSwan like this:</div>
<div class=""><br class="">
</div>
<div class="">
<pre style="font-family: monospace, Courier; padding: 1em; border: 1px dashed rgb(47, 111, 171); background-color: rgb(249, 249, 249); line-height: 1.3em; font-size: 13px;" class="">$ sudo yum install strongswan
Loaded plugins: fastestmirror, presto
Setting up Install Process
Loading mirror speeds from cached hostfile
* epel: <a href="http://mirror.symnds.com" class="">mirror.symnds.com</a>
centos | 3.7 kB 00:00
centos/primary_db | 4.6 MB 00:00
Resolving Dependencies
--> Running transaction check
---> Package strongswan.x86_64 0:5.2.0-7.el6 will be installed
--> Processing Dependency: libtspi.so.1()(64bit) for package: strongswan-5.2.0-7.el6.x86_64
--> Running transaction check
---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================
Installing:
strongswan x86_64 5.2.0-7.el6 epel 923 k
Installing for dependencies:
trousers x86_64 0.3.13-2.el6 centos 277 k
Transaction Summary
=================================================================================================================================================
Install 2 Package(s)
Total download size: 1.2 M
Installed size: 3.4 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.2 M
(1/2): strongswan-5.2.0-7.el6.x86_64.rpm | 923 kB 00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm | 277 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.9 MB/s | 1.2 MB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from <a href="file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6" class="">file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6</a>
Importing GPG key 0x0608B895:
Userid : EPEL (6) <<a href="mailto:epel@fedoraproject.org" class="">epel@fedoraproject.org</a>>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : trousers-0.3.13-2.el6.x86_64 1/2
Installing : strongswan-5.2.0-7.el6.x86_64 2/2
Verifying : trousers-0.3.13-2.el6.x86_64 1/2
Verifying : strongswan-5.2.0-7.el6.x86_64 2/2
Installed:
strongswan.x86_64 0:5.2.0-7.el6
Dependency Installed:
trousers.x86_64 0:0.3.13-2.el6
Complete!
</pre>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Finally, I saw <a href="https://wiki.strongswan.org/issues/737" class="">Bug #737</a>. Does this mean I must move to StrongSwan 5.2.2 to support Mac OS X split tunneling or has it been back ported to earlier releases? StrongSwan 5.2.2 look like
is only available as RPM on Fedora Rawhide (of the RHEL/Centos distributions) so would need to build from sources for Centos 6? Is easy to support split tunneling using a third-party Mac OS X client instead of the native one?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Thanks for any help,</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Ken</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><a href="https://wiki.strongswan.org/issues/737" class=""></a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</body>
</html>