Hello Claude,
could you provide some pluto logs with
plutodebug=all
set in ipsec.conf?
Regards
Andreas
BTW On second thought leftsubnet on the strongSwan gateway
should be set to the subnet communicated the Cisco
client via the unity_split_include attribute since
the client will probably used them during Quick Mode.
I don't know if multiple subnets will cause several
Quick Modes to be set up, though.
Regards
Andreas
On 22.10.2010 09:55, Claude Tompers wrote:
> Hello Andreas,
>
> Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path.
> The Cisco client tells me "Negotiating security policies" before it stops silently.
> On the other side, I don't see much in the pluto logs.
> Any ideas ?
>
> kind regards,
> Claude
>
>
> On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
>> Hello Claude,
>>
>> yes it should be possible with the Cisco_Unity functionality added
>> to the attr-sql plugin with strongswan-4.4.1:
>>
>> - Enable the attr-sql and sqlite plugins
>>
>> ./configure ... --enable-sqlite --enable-attr-sql
>>
>> - Create an SQLite database:
>>
>> cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
>> sqlite3 /etc/ipsec.d/ipsec.db
>>
>> - Define the path to the database in strongswan.conf
>>
>> libhydra {
>> plugins {
>> attr-sql {
>> database = sqlite:///etc/ipsec.d/ipsec.db
>> }
>> }
>> }
>>
>> - Create a virtual IP pool in the database using the ipsec pool tool
>>
>> ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
>>
>> - Add internal DNS and WINS servers
>>
>> ipsec pool --addattr dns --server 10.1.0.10
>> ipsec pool --addattr dns --server 10.1.1.10
>> ipsec pool --addattr nbns --server 10.1.0.20
>> ipsec pool --addattr nbns --server 10.1.1.20
>>
>> - Add default domain
>>
>> ipsec pool --addattr unity_def_domain --string "strongswan.org"
>>
>> - Add welcome banner
>>
>> ipsec pool --addattr banner --string "The network will be down from
>> 6-8 pm"
>>
>> - Add split tunneling subnets !!!
>>
>> ipsec pool --addattr unity_split_include --subnet
>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
>>
>> - List all configured attributes
>>
>> ipsec pool --statusattr
>>
>> - Configure the pool in ipsec.conf
>>
>> conn rw-cisco
>> right=%any
>> rightsourceip=%mypool
>> leftsubnet=0.0.0.0/0
>>
>> I haven't actually tested this with the Cisco VPN Client but it
>> should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
>> networks are tunneled.
>>
>> Regards
>>
>> Andreas
>>
>> On 21.10.2010 10:57, Claude Tompers wrote:
>>> Hello,
>>>
>>> Is it possible to do split tunneling with CISCO VPN client and pluto
>>> so that a road-warrior is still able to access i.e. printers in his
>>> local network ?
>>>
>>> kind regards Claude
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==