<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><br class="">
</div>
I was able to get split-tunneling to work for Mac OS X clients, although it was not very easy or straight-forward. This mail documents the configuration in the event someone else might want to do this and asks the mailing list if there is a better way or if
there are any down-sides of this configuration. This configuration was pieced together by doing quite a bit of googling as the StrongSwan documentation in this area is terse (or I missed the Unity attribute documentation).
<div class=""><br class="">
</div>
<div class="">One downside to this configuration I read is that all connections would get the DNS server address and that is could be more flexibly assigned using rightdns in ipsec.conf on a per connection basis. However, I did not see any way in ipsec.conf
to set the DNS search domain along with the server address.</div>
<div class=""><br class="">
</div>
<div class="">The “cisco_unity = yes” attribute was set in strongswan.d/charon.conf.</div>
<div class=""><br class="">
<br class="">
<font face="Courier" class=""># strongswan.conf - strongSwan configuration file<br class="">
#<br class="">
# Refer to the strongswan.conf(5) manpage for details<br class="">
#<br class="">
# Configuration changes should be made in the included files<br class="">
<br class="">
charon {<br class="">
load_modular = yes<br class="">
plugins {<br class="">
include strongswan.d/charon/*.conf<br class="">
attr {<br class="">
# Cisco Unity plugin attributes for IKEv1<br class="">
split-include = 10.8.64.0/23 # Send only traffic destined to leftsubnet to the tunnel interface<br class="">
split-exclude = 0.0.0.0/0 # Mac OS X client responsible for routing all non-tunnel traffic elsewhere <br class="">
dns = 10.8.65.164 # DNS server in leftsubnet<br class="">
28674 = xyz.internal # UNITY_DEF_DOMAIN attribute to set DNS search domain<br class="">
}<br class="">
}<br class="">
}<br class="">
<br class="">
#<br class="">
# Enable the Cisco Unity plugin by adding the following line<br class="">
# in strongswan.d/charon.conf, if it is not already<br class="">
#<br class="">
# cisco_unity = yes<br class="">
#<br class="">
include strongswan.d/*.conf<br class="">
<br class="">
</font><br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">On Jan 26, 2015, at 4:39 PM, Ken Nelson <<a href="mailto:ken@cazena.com" class="">ken@cazena.com</a>> wrote:<br class="">
<br class="">
Hi,<br class="">
<br class="">
<br class="">
I’m trying to configure a Linux machine to act as an IPSec VPN gateway, with the first supported clients being Mac OS X road warriors. I want to support split tunneling at the client as I only want traffic destined to certain subnets to be routed to the StrongSwan
VPN GW.<br class="">
<br class="">
The VPN GW software versions:<br class="">
StrongSwan: 5.2.0-7.el6<br class="">
Centos 6.6: Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux<br class="">
<br class="">
Initial Mac OS X version supported is 10.10.<br class="">
<br class="">
I read here that the Cisco Unity plugin is needed to support split tunneling for Mac OS X clients using IKEv1.<br class="">
<br class="">
<br class="">
When I configure strongswan.conf like this:<br class="">
<br class="">
-bash-4.1# cat strongswan.conf <br class="">
# strongswan.conf - strongSwan configuration file<br class="">
#<br class="">
# Refer to the strongswan.conf(5) manpage for details<br class="">
#<br class="">
# Configuration changes should be made in the included files<br class="">
<br class="">
charon {<br class="">
load_modular = yes<br class="">
plugins {<br class="">
include strongswan.d/charon/*.conf<br class="">
}<br class="">
cisco_unity = yes<br class="">
}<br class="">
<br class="">
include strongswan.d/*.conf<br class="">
<br class="">
<br class="">
Restart the service:<br class="">
<br class="">
-bash-4.1# strongswan restart<br class="">
Stopping strongSwan IPsec...<br class="">
Starting strongSwan 5.2.0 IPsec [starter]...<br class="">
<br class="">
<br class="">
I do NOT see unity in the list of plugins:<br class="">
<br class="">
Jan 26 23:18:43 ip-10-8-64-4 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp<br class="">
<br class="">
<br class="">
When I connect to the VPN GW, it does NOT split tunnel. What am I missing? Is there some other library/RPM required? I installed StrongSwan like this:<br class="">
<br class="">
<div class="">$ sudo yum install strongswan</div>
<div class="">Loaded plugins: fastestmirror, presto</div>
<div class="">Setting up Install Process</div>
<div class="">Loading mirror speeds from cached hostfile</div>
<div class=""> * epel: </div>
<a href="http://mirror.symnds.com" class="">mirror.symnds.com</a>
<div class=""><br class="">
</div>
<div class="">centos | 3.7 kB 00:00 </div>
<div class="">centos/primary_db | 4.6 MB 00:00 </div>
<div class="">Resolving Dependencies</div>
<div class="">--> Running transaction check</div>
<div class="">---> Package strongswan.x86_64 0:5.2.0-7.el6 will be installed</div>
<div class="">--> Processing Dependency: libtspi.so.1()(64bit) for package: strongswan-5.2.0-7.el6.x86_64</div>
<div class="">--> Running transaction check</div>
<div class="">---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed</div>
<div class="">--> Finished Dependency Resolution</div>
<div class=""><br class="">
</div>
<div class="">Dependencies Resolved</div>
<div class=""><br class="">
</div>
<div class="">=================================================================================================================================================</div>
<div class=""> Package Arch Version Repository Size</div>
<div class="">=================================================================================================================================================</div>
<div class="">Installing:</div>
<div class=""> strongswan x86_64 5.2.0-7.el6 epel 923 k</div>
<div class="">Installing for dependencies:</div>
<div class=""> trousers x86_64 0.3.13-2.el6 centos 277 k</div>
<div class=""><br class="">
</div>
<div class="">Transaction Summary</div>
<div class="">=================================================================================================================================================</div>
<div class="">Install 2 Package(s)</div>
<div class=""><br class="">
</div>
<div class="">Total download size: 1.2 M</div>
<div class="">Installed size: 3.4 M</div>
<div class="">Is this ok [y/N]: y</div>
<div class="">Downloading Packages:</div>
<div class="">Setting up and reading Presto delta metadata</div>
<div class="">Processing delta metadata</div>
<div class="">Package(s) data still to download: 1.2 M</div>
<div class="">(1/2): strongswan-5.2.0-7.el6.x86_64.rpm | 923 kB 00:00 </div>
<div class="">(2/2): trousers-0.3.13-2.el6.x86_64.rpm | 277 kB 00:00 </div>
<div class="">-------------------------------------------------------------------------------------------------------------------------------------------------</div>
<div class="">Total 3.9 MB/s | 1.2 MB 00:00 </div>
<div class="">warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY</div>
<div class="">Retrieving key from </div>
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
<div class=""><br class="">
</div>
<div class="">Importing GPG key 0x0608B895:</div>
<div class=""> Userid : EPEL (6) <</div>
epel@fedoraproject.org
<div class="">></div>
<div class=""> Package: epel-release-6-8.noarch (installed)</div>
<div class=""> From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6</div>
<div class="">Is this ok [y/N]: y</div>
<div class="">Running rpm_check_debug</div>
<div class="">Running Transaction Test</div>
<div class="">Transaction Test Succeeded</div>
<div class="">Running Transaction</div>
<div class=""> Installing : trousers-0.3.13-2.el6.x86_64 1/2 </div>
<div class=""> Installing : strongswan-5.2.0-7.el6.x86_64 2/2 </div>
<div class=""> Verifying : trousers-0.3.13-2.el6.x86_64 1/2 </div>
<div class=""> Verifying : strongswan-5.2.0-7.el6.x86_64 2/2 </div>
<div class=""><br class="">
</div>
<div class="">Installed:</div>
<div class=""> strongswan.x86_64 0:5.2.0-7.el6 </div>
<div class=""><br class="">
</div>
<div class="">Dependency Installed:</div>
<div class=""> trousers.x86_64 0:0.3.13-2.el6 </div>
<div class=""><br class="">
</div>
<div class="">Complete!</div>
<br class="Apple-interchange-newline">
<br class="">
<br class="">
<br class="">
Finally, I saw Bug #737. Does this mean I must move to StrongSwan 5.2.2 to support Mac OS X split tunneling or has it been back ported to earlier releases? StrongSwan 5.2.2 look like is only available as RPM on Fedora Rawhide (of the RHEL/Centos distributions)
so would need to build from sources for Centos 6? Is easy to support split tunneling using a third-party Mac OS X client instead of the native one?<br class="">
<br class="">
<br class="">
Thanks for any help,<br class="">
<br class="">
<br class="">
Ken<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
Users mailing list<br class="">
Users@lists.strongswan.org<br class="">
https://lists.strongswan.org/mailman/listinfo/users<br class="">
</blockquote>
<br class="">
</div>
</body>
</html>