[strongSwan] Split tunneling

Claude Tompers claude.tompers at restena.lu
Fri Oct 22 14:29:31 CEST 2010


Hello Andreas,

They all fail, as soon as I set one of them (unity_def_domain / banner / unity_split_include). Cisco client says "Negotiating security policies" and it fails.
If I don't have any of those attributes set, it immediately passes on to saying "Securing channel communication" and succeeds.

kind regards,
Claude


On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
> Hello Claude,
> 
> it is not evident from the log which attribute[s]
> the Cisco VPN client doesn't like. I recommend to
> remove all Cisco_Unity attributes from the SQLite
> database keeping only the virtual IP so that the
> negotiation goes on to Quick Mode and then add
> back the attributes one-by-one until ModeCfg fails
> so that the actual error can be identified.
> 
> I just know that Astaro got the split tunneling working
> since we jointly developed the attr-sql functionality
> but I didn't test the interoperability with the Chisco
> client myself.
> 
> Regards
> 
> Andreas
> 
> On 22.10.2010 11:40, Claude Tompers wrote:
> > I attached the Ciso log.
> > I think the interesting part starts at message 24.
> > 
> > kind regards,
> > Claude
> > 
> > 
> > On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
> >> Hmmm, it seems that the Cisco client doesn't like
> >> strongSwan's ModeCfg reply containing all these
> >> Cisco Unity attributes because it just keeps
> >> retransmitting the ModeCfg request. Could you
> >> find out what errors occur in the Cisco log?
> >>
> >> Regards
> >>
> >> Andreas
> >>
> >>  On 22.10.2010 10:48, Claude Tompers wrote:
> >>> Hi Andreas,
> >>>
> >>> Setting the leftsubnet did not work.
> >>> You can find the pluto log attached.
> >>>
> >>> thank you
> >>> Claude
> >>>
> >>>
> >>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
> >>>> Hello Claude,
> >>>>
> >>>> could you provide some pluto logs with
> >>>>
> >>>>   plutodebug=all
> >>>>
> >>>> set in ipsec.conf?
> >>>>
> >>>> Regards
> >>>>
> >>>> Andreas
> >>>>
> >>>> BTW On second thought leftsubnet on the strongSwan gateway
> >>>>     should be set to the subnet communicated the Cisco
> >>>>     client via the unity_split_include attribute since
> >>>>     the client will probably used them during Quick Mode.
> >>>>     I don't know if multiple subnets will cause several
> >>>>     Quick Modes to be set up, though.
> >>>>
> >>>> Regards
> >>>>
> >>>> Andreas
> >>>>
> >>>> On 22.10.2010 09:55, Claude Tompers wrote:
> >>>>> Hello Andreas,
> >>>>>
> >>>>> Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path.
> >>>>> The Cisco client tells me "Negotiating security policies" before it stops silently.
> >>>>> On the other side, I don't see much in the pluto logs.
> >>>>> Any ideas ?
> >>>>>
> >>>>> kind regards,
> >>>>> Claude
> >>>>>
> >>>>>
> >>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
> >>>>>> Hello Claude,
> >>>>>>
> >>>>>> yes it should be possible with the Cisco_Unity functionality added
> >>>>>> to the attr-sql plugin with strongswan-4.4.1:
> >>>>>>
> >>>>>> - Enable the attr-sql and sqlite plugins
> >>>>>>
> >>>>>>   ./configure ... --enable-sqlite --enable-attr-sql
> >>>>>>
> >>>>>> - Create an SQLite database:
> >>>>>>
> >>>>>>   cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
> >>>>>> sqlite3 /etc/ipsec.d/ipsec.db
> >>>>>>
> >>>>>> - Define the path to the database in strongswan.conf
> >>>>>>
> >>>>>>   libhydra {
> >>>>>>     plugins {
> >>>>>>       attr-sql {
> >>>>>>         database = sqlite:///etc/ipsec.d/ipsec.db
> >>>>>>       }
> >>>>>>     }
> >>>>>>   }
> >>>>>>
> >>>>>> - Create a virtual IP pool in the database using the ipsec pool tool
> >>>>>>
> >>>>>>   ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
> >>>>>>
> >>>>>> - Add internal DNS and WINS servers
> >>>>>>
> >>>>>>   ipsec pool --addattr dns  --server 10.1.0.10
> >>>>>>   ipsec pool --addattr dns  --server 10.1.1.10
> >>>>>>   ipsec pool --addattr nbns --server 10.1.0.20
> >>>>>>   ipsec pool --addattr nbns --server 10.1.1.20
> >>>>>>
> >>>>>> - Add default domain
> >>>>>>
> >>>>>>   ipsec pool --addattr unity_def_domain  --string "strongswan.org"
> >>>>>>
> >>>>>> - Add welcome banner
> >>>>>>
> >>>>>>   ipsec pool --addattr banner --string "The network will be down from
> >>>>>> 6-8 pm"
> >>>>>>
> >>>>>> - Add split tunneling subnets !!!
> >>>>>>
> >>>>>>   ipsec pool --addattr unity_split_include --subnet
> >>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
> >>>>>>
> >>>>>> - List all configured attributes
> >>>>>>
> >>>>>>   ipsec pool --statusattr
> >>>>>>
> >>>>>> - Configure the pool in ipsec.conf
> >>>>>>
> >>>>>>   conn rw-cisco
> >>>>>>        right=%any
> >>>>>>        rightsourceip=%mypool
> >>>>>>        leftsubnet=0.0.0.0/0
> >>>>>>
> >>>>>> I haven't actually tested this with the Cisco VPN Client but it
> >>>>>> should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
> >>>>>> networks are tunneled.
> >>>>>>
> >>>>>> Regards
> >>>>>>
> >>>>>> Andreas
> >>>>>>
> >>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
> >>>>>>> Hello,
> >>>>>>>
> >>>>>>> Is it possible to do split tunneling with CISCO VPN client and pluto
> >>>>>>> so that a road-warrior is still able to access i.e. printers in his
> >>>>>>> local network ?
> >>>>>>>
> >>>>>>> kind regards Claude
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101022/77906d18/attachment.pgp>


More information about the Users mailing list