[strongSwan] Split tunneling

Fri Oct 22 11:27:24 CEST 2010

Hmmm, it seems that the Cisco client doesn't like
strongSwan's ModeCfg reply containing all these
Cisco Unity attributes because it just keeps
retransmitting the ModeCfg request. Could you
find out what errors occur in the Cisco log?

Regards

Andreas

 On 22.10.2010 10:48, Claude Tompers wrote:
> Hi Andreas,
> 
> Setting the leftsubnet did not work.
> You can find the pluto log attached.
> 
> thank you
> Claude
> 
> 
> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
>> Hello Claude,
>>
>> could you provide some pluto logs with
>>
>>   plutodebug=all
>>
>> set in ipsec.conf?
>>
>> Regards
>>
>> Andreas
>>
>> BTW On second thought leftsubnet on the strongSwan gateway
>>     should be set to the subnet communicated the Cisco
>>     client via the unity_split_include attribute since
>>     the client will probably used them during Quick Mode.
>>     I don't know if multiple subnets will cause several
>>     Quick Modes to be set up, though.
>>
>> Regards
>>
>> Andreas
>>
>> On 22.10.2010 09:55, Claude Tompers wrote:
>>> Hello Andreas,
>>>
>>> Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path.
>>> The Cisco client tells me "Negotiating security policies" before it stops silently.
>>> On the other side, I don't see much in the pluto logs.
>>> Any ideas ?
>>>
>>> kind regards,
>>> Claude
>>>
>>>
>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
>>>> Hello Claude,
>>>>
>>>> yes it should be possible with the Cisco_Unity functionality added
>>>> to the attr-sql plugin with strongswan-4.4.1:
>>>>
>>>> - Enable the attr-sql and sqlite plugins
>>>>
>>>>   ./configure ... --enable-sqlite --enable-attr-sql
>>>>
>>>> - Create an SQLite database:
>>>>
>>>>   cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
>>>> sqlite3 /etc/ipsec.d/ipsec.db
>>>>
>>>> - Define the path to the database in strongswan.conf
>>>>
>>>>   libhydra {
>>>>     plugins {
>>>>       attr-sql {
>>>>         database = sqlite:///etc/ipsec.d/ipsec.db
>>>>       }
>>>>     }
>>>>   }
>>>>
>>>> - Create a virtual IP pool in the database using the ipsec pool tool
>>>>
>>>>   ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
>>>>
>>>> - Add internal DNS and WINS servers
>>>>
>>>>   ipsec pool --addattr dns  --server 10.1.0.10
>>>>   ipsec pool --addattr dns  --server 10.1.1.10
>>>>   ipsec pool --addattr nbns --server 10.1.0.20
>>>>   ipsec pool --addattr nbns --server 10.1.1.20
>>>>
>>>> - Add default domain
>>>>
>>>>   ipsec pool --addattr unity_def_domain  --string "strongswan.org"
>>>>
>>>> - Add welcome banner
>>>>
>>>>   ipsec pool --addattr banner --string "The network will be down from
>>>> 6-8 pm"
>>>>
>>>> - Add split tunneling subnets !!!
>>>>
>>>>   ipsec pool --addattr unity_split_include --subnet
>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
>>>>
>>>> - List all configured attributes
>>>>
>>>>   ipsec pool --statusattr
>>>>
>>>> - Configure the pool in ipsec.conf
>>>>
>>>>   conn rw-cisco
>>>>        right=%any
>>>>        rightsourceip=%mypool
>>>>        leftsubnet=0.0.0.0/0
>>>>
>>>> I haven't actually tested this with the Cisco VPN Client but it
>>>> should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
>>>> networks are tunneled.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 21.10.2010 10:57, Claude Tompers wrote:
>>>>> Hello,
>>>>>
>>>>> Is it possible to do split tunneling with CISCO VPN client and pluto
>>>>> so that a road-warrior is still able to access i.e. printers in his
>>>>> local network ?
>>>>>
>>>>> kind regards Claude

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==