[strongSwan] Split tunneling

Andreas Steffen andreas.steffen at strongswan.org
Thu Oct 21 12:22:56 CEST 2010 

Hello Claude,

yes it should be possible with the Cisco_Unity functionality added
to the attr-sql plugin with strongswan-4.4.1:

- Enable the attr-sql and sqlite plugins

  ./configure ... --enable-sqlite --enable-attr-sql

- Create an SQLite database:

  cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
sqlite3 /etc/ipsec.d/ipsec.db

- Define the path to the database in strongswan.conf

  libhydra {
    plugins {
      attr-sql {
        database = sqlite:///etc/ipsec.d/ipsec.db
      }
    }
  }

- Create a virtual IP pool in the database using the ipsec pool tool

  ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48

- Add internal DNS and WINS servers

  ipsec pool --addattr dns  --server 10.1.0.10
  ipsec pool --addattr dns  --server 10.1.1.10
  ipsec pool --addattr nbns --server 10.1.0.20
  ipsec pool --addattr nbns --server 10.1.1.20

- Add default domain

  ipsec pool --addattr unity_def_domain  --string "strongswan.org"

- Add welcome banner

  ipsec pool --addattr banner --string "The network will be down from
6-8 pm"

- Add split tunneling subnets !!!

  ipsec pool --addattr unity_split_include --subnet
"10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"

- List all configured attributes

  ipsec pool --statusattr

- Configure the pool in ipsec.conf

  conn rw-cisco
       right=%any
       rightsourceip=%mypool
       leftsubnet=0.0.0.0/0

I haven't actually tested this with the Cisco VPN Client but it
should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
networks are tunneled.

Regards

Andreas

On 21.10.2010 10:57, Claude Tompers wrote:
> Hello,
> 
> Is it possible to do split tunneling with CISCO VPN client and pluto
> so that a road-warrior is still able to access i.e. printers in his
> local network ?
> 
> kind regards Claude

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list