[strongSwan] Split tunneling

Andreas Steffen andreas.steffen at strongswan.org
Fri Oct 22 14:52:36 CEST 2010 

I remember that the default banner "Welcome to Linux strongSwan"
always worked with the Cisco client, though.

Regards

Andreas

 On 22.10.2010 14:29, Claude Tompers wrote:
> Hello Andreas,
> 
> They all fail, as soon as I set one of them (unity_def_domain /
> banner / unity_split_include). Cisco client says "Negotiating
> security policies" and it fails. If I don't have any of those
> attributes set, it immediately passes on to saying "Securing channel
> communication" and succeeds.
> 
> kind regards, Claude
> 
> 
> On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
>> Hello Claude,
>> 
>> it is not evident from the log which attribute[s] the Cisco VPN
>> client doesn't like. I recommend to remove all Cisco_Unity
>> attributes from the SQLite database keeping only the virtual IP so
>> that the negotiation goes on to Quick Mode and then add back the
>> attributes one-by-one until ModeCfg fails so that the actual error
>> can be identified.
>> 
>> I just know that Astaro got the split tunneling working since we
>> jointly developed the attr-sql functionality but I didn't test the
>> interoperability with the Chisco client myself.
>> 
>> Regards
>> 
>> Andreas
>> 
>> On 22.10.2010 11:40, Claude Tompers wrote:
>>> I attached the Ciso log. I think the interesting part starts at
>>> message 24.
>>> 
>>> kind regards, Claude
>>> 
>>> 
>>> On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
>>>> Hmmm, it seems that the Cisco client doesn't like strongSwan's
>>>> ModeCfg reply containing all these Cisco Unity attributes
>>>> because it just keeps retransmitting the ModeCfg request. Could
>>>> you find out what errors occur in the Cisco log?
>>>> 
>>>> Regards
>>>> 
>>>> Andreas
>>>> 
>>>> On 22.10.2010 10:48, Claude Tompers wrote:
>>>>> Hi Andreas,
>>>>> 
>>>>> Setting the leftsubnet did not work. You can find the pluto
>>>>> log attached.
>>>>> 
>>>>> thank you Claude
>>>>> 
>>>>> 
>>>>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
>>>>>> Hello Claude,
>>>>>> 
>>>>>> could you provide some pluto logs with
>>>>>> 
>>>>>> plutodebug=all
>>>>>> 
>>>>>> set in ipsec.conf?
>>>>>> 
>>>>>> Regards
>>>>>> 
>>>>>> Andreas
>>>>>> 
>>>>>> BTW On second thought leftsubnet on the strongSwan gateway 
>>>>>> should be set to the subnet communicated the Cisco client
>>>>>> via the unity_split_include attribute since the client will
>>>>>> probably used them during Quick Mode. I don't know if
>>>>>> multiple subnets will cause several Quick Modes to be set
>>>>>> up, though.
>>>>>> 
>>>>>> Regards
>>>>>> 
>>>>>> Andreas
>>>>>> 
>>>>>> On 22.10.2010 09:55, Claude Tompers wrote:
>>>>>>> Hello Andreas,
>>>>>>> 
>>>>>>> Thank you for your quick reply. Sadly, it does not work,
>>>>>>> but I think we're on the right path. The Cisco client
>>>>>>> tells me "Negotiating security policies" before it stops
>>>>>>> silently. On the other side, I don't see much in the
>>>>>>> pluto logs. Any ideas ?
>>>>>>> 
>>>>>>> kind regards, Claude
>>>>>>> 
>>>>>>> 
>>>>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen
>>>>>>> wrote:
>>>>>>>> Hello Claude,
>>>>>>>> 
>>>>>>>> yes it should be possible with the Cisco_Unity
>>>>>>>> functionality added to the attr-sql plugin with
>>>>>>>> strongswan-4.4.1:
>>>>>>>> 
>>>>>>>> - Enable the attr-sql and sqlite plugins
>>>>>>>> 
>>>>>>>> ./configure ... --enable-sqlite --enable-attr-sql
>>>>>>>> 
>>>>>>>> - Create an SQLite database:
>>>>>>>> 
>>>>>>>> cat
>>>>>>>> strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
>>>>>>>> | sqlite3 /etc/ipsec.d/ipsec.db
>>>>>>>> 
>>>>>>>> - Define the path to the database in strongswan.conf
>>>>>>>> 
>>>>>>>> libhydra { plugins { attr-sql { database =
>>>>>>>> sqlite:///etc/ipsec.d/ipsec.db } } }
>>>>>>>> 
>>>>>>>> - Create a virtual IP pool in the database using the
>>>>>>>> ipsec pool tool
>>>>>>>> 
>>>>>>>> ipsec pool -add mypool --start 10.3.0.1 --end
>>>>>>>> 10.3.0.254 --timeout 48
>>>>>>>> 
>>>>>>>> - Add internal DNS and WINS servers
>>>>>>>> 
>>>>>>>> ipsec pool --addattr dns  --server 10.1.0.10 ipsec pool
>>>>>>>> --addattr dns  --server 10.1.1.10 ipsec pool --addattr
>>>>>>>> nbns --server 10.1.0.20 ipsec pool --addattr nbns
>>>>>>>> --server 10.1.1.20
>>>>>>>> 
>>>>>>>> - Add default domain
>>>>>>>> 
>>>>>>>> ipsec pool --addattr unity_def_domain  --string
>>>>>>>> "strongswan.org"
>>>>>>>> 
>>>>>>>> - Add welcome banner
>>>>>>>> 
>>>>>>>> ipsec pool --addattr banner --string "The network will
>>>>>>>> be down from 6-8 pm"
>>>>>>>> 
>>>>>>>> - Add split tunneling subnets !!!
>>>>>>>> 
>>>>>>>> ipsec pool --addattr unity_split_include --subnet 
>>>>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
>>>>>>>> 
>>>>>>>> - List all configured attributes
>>>>>>>> 
>>>>>>>> ipsec pool --statusattr
>>>>>>>> 
>>>>>>>> - Configure the pool in ipsec.conf
>>>>>>>> 
>>>>>>>> conn rw-cisco right=%any rightsourceip=%mypool 
>>>>>>>> leftsubnet=0.0.0.0/0
>>>>>>>> 
>>>>>>>> I haven't actually tested this with the Cisco VPN
>>>>>>>> Client but it should work so that only traffic to the
>>>>>>>> 10.1.0.0/16 and 10.3.5.0/24 networks are tunneled.
>>>>>>>> 
>>>>>>>> Regards
>>>>>>>> 
>>>>>>>> Andreas
>>>>>>>> 
>>>>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
>>>>>>>>> Hello,
>>>>>>>>> 
>>>>>>>>> Is it possible to do split tunneling with CISCO VPN
>>>>>>>>> client and pluto so that a road-warrior is still able
>>>>>>>>> to access i.e. printers in his local network ?
>>>>>>>>> 
>>>>>>>>> kind regards Claude

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list