[strongSwan] Split tunneling

Andreas Steffen andreas.steffen at strongswan.org
Fri Oct 22 14:06:55 CEST 2010 

Hello Claude,

it is not evident from the log which attribute[s]
the Cisco VPN client doesn't like. I recommend to
remove all Cisco_Unity attributes from the SQLite
database keeping only the virtual IP so that the
negotiation goes on to Quick Mode and then add
back the attributes one-by-one until ModeCfg fails
so that the actual error can be identified.

I just know that Astaro got the split tunneling working
since we jointly developed the attr-sql functionality
but I didn't test the interoperability with the Chisco
client myself.

Regards

Andreas

On 22.10.2010 11:40, Claude Tompers wrote:
> I attached the Ciso log.
> I think the interesting part starts at message 24.
> 
> kind regards,
> Claude
> 
> 
> On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
>> Hmmm, it seems that the Cisco client doesn't like
>> strongSwan's ModeCfg reply containing all these
>> Cisco Unity attributes because it just keeps
>> retransmitting the ModeCfg request. Could you
>> find out what errors occur in the Cisco log?
>>
>> Regards
>>
>> Andreas
>>
>>  On 22.10.2010 10:48, Claude Tompers wrote:
>>> Hi Andreas,
>>>
>>> Setting the leftsubnet did not work.
>>> You can find the pluto log attached.
>>>
>>> thank you
>>> Claude
>>>
>>>
>>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
>>>> Hello Claude,
>>>>
>>>> could you provide some pluto logs with
>>>>
>>>>   plutodebug=all
>>>>
>>>> set in ipsec.conf?
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> BTW On second thought leftsubnet on the strongSwan gateway
>>>>     should be set to the subnet communicated the Cisco
>>>>     client via the unity_split_include attribute since
>>>>     the client will probably used them during Quick Mode.
>>>>     I don't know if multiple subnets will cause several
>>>>     Quick Modes to be set up, though.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 22.10.2010 09:55, Claude Tompers wrote:
>>>>> Hello Andreas,
>>>>>
>>>>> Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path.
>>>>> The Cisco client tells me "Negotiating security policies" before it stops silently.
>>>>> On the other side, I don't see much in the pluto logs.
>>>>> Any ideas ?
>>>>>
>>>>> kind regards,
>>>>> Claude
>>>>>
>>>>>
>>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
>>>>>> Hello Claude,
>>>>>>
>>>>>> yes it should be possible with the Cisco_Unity functionality added
>>>>>> to the attr-sql plugin with strongswan-4.4.1:
>>>>>>
>>>>>> - Enable the attr-sql and sqlite plugins
>>>>>>
>>>>>>   ./configure ... --enable-sqlite --enable-attr-sql
>>>>>>
>>>>>> - Create an SQLite database:
>>>>>>
>>>>>>   cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
>>>>>> sqlite3 /etc/ipsec.d/ipsec.db
>>>>>>
>>>>>> - Define the path to the database in strongswan.conf
>>>>>>
>>>>>>   libhydra {
>>>>>>     plugins {
>>>>>>       attr-sql {
>>>>>>         database = sqlite:///etc/ipsec.d/ipsec.db
>>>>>>       }
>>>>>>     }
>>>>>>   }
>>>>>>
>>>>>> - Create a virtual IP pool in the database using the ipsec pool tool
>>>>>>
>>>>>>   ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
>>>>>>
>>>>>> - Add internal DNS and WINS servers
>>>>>>
>>>>>>   ipsec pool --addattr dns  --server 10.1.0.10
>>>>>>   ipsec pool --addattr dns  --server 10.1.1.10
>>>>>>   ipsec pool --addattr nbns --server 10.1.0.20
>>>>>>   ipsec pool --addattr nbns --server 10.1.1.20
>>>>>>
>>>>>> - Add default domain
>>>>>>
>>>>>>   ipsec pool --addattr unity_def_domain  --string "strongswan.org"
>>>>>>
>>>>>> - Add welcome banner
>>>>>>
>>>>>>   ipsec pool --addattr banner --string "The network will be down from
>>>>>> 6-8 pm"
>>>>>>
>>>>>> - Add split tunneling subnets !!!
>>>>>>
>>>>>>   ipsec pool --addattr unity_split_include --subnet
>>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
>>>>>>
>>>>>> - List all configured attributes
>>>>>>
>>>>>>   ipsec pool --statusattr
>>>>>>
>>>>>> - Configure the pool in ipsec.conf
>>>>>>
>>>>>>   conn rw-cisco
>>>>>>        right=%any
>>>>>>        rightsourceip=%mypool
>>>>>>        leftsubnet=0.0.0.0/0
>>>>>>
>>>>>> I haven't actually tested this with the Cisco VPN Client but it
>>>>>> should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
>>>>>> networks are tunneled.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Is it possible to do split tunneling with CISCO VPN client and pluto
>>>>>>> so that a road-warrior is still able to access i.e. printers in his
>>>>>>> local network ?
>>>>>>>
>>>>>>> kind regards Claude

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list