[strongSwan] Split tunneling

Claude Tompers claude.tompers at restena.lu
Fri Oct 22 09:55:19 CEST 2010 

Hello Andreas,

Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path.
The Cisco client tells me "Negotiating security policies" before it stops silently.
On the other side, I don't see much in the pluto logs.
Any ideas ?

kind regards,
Claude


On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
> Hello Claude,
> 
> yes it should be possible with the Cisco_Unity functionality added
> to the attr-sql plugin with strongswan-4.4.1:
> 
> - Enable the attr-sql and sqlite plugins
> 
>   ./configure ... --enable-sqlite --enable-attr-sql
> 
> - Create an SQLite database:
> 
>   cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
> sqlite3 /etc/ipsec.d/ipsec.db
> 
> - Define the path to the database in strongswan.conf
> 
>   libhydra {
>     plugins {
>       attr-sql {
>         database = sqlite:///etc/ipsec.d/ipsec.db
>       }
>     }
>   }
> 
> - Create a virtual IP pool in the database using the ipsec pool tool
> 
>   ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
> 
> - Add internal DNS and WINS servers
> 
>   ipsec pool --addattr dns  --server 10.1.0.10
>   ipsec pool --addattr dns  --server 10.1.1.10
>   ipsec pool --addattr nbns --server 10.1.0.20
>   ipsec pool --addattr nbns --server 10.1.1.20
> 
> - Add default domain
> 
>   ipsec pool --addattr unity_def_domain  --string "strongswan.org"
> 
> - Add welcome banner
> 
>   ipsec pool --addattr banner --string "The network will be down from
> 6-8 pm"
> 
> - Add split tunneling subnets !!!
> 
>   ipsec pool --addattr unity_split_include --subnet
> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
> 
> - List all configured attributes
> 
>   ipsec pool --statusattr
> 
> - Configure the pool in ipsec.conf
> 
>   conn rw-cisco
>        right=%any
>        rightsourceip=%mypool
>        leftsubnet=0.0.0.0/0
> 
> I haven't actually tested this with the Cisco VPN Client but it
> should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
> networks are tunneled.
> 
> Regards
> 
> Andreas
> 
> On 21.10.2010 10:57, Claude Tompers wrote:
> > Hello,
> > 
> > Is it possible to do split tunneling with CISCO VPN client and pluto
> > so that a road-warrior is still able to access i.e. printers in his
> > local network ?
> > 
> > kind regards Claude
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101022/5110b96c/attachment.pgp>

More information about the Users mailing list