[strongSwan] Split tunneling

Claude Tompers claude.tompers at restena.lu
Fri Oct 22 15:04:57 CEST 2010 

It still does, if I do not set the attribute, I see the "standard" banner.

regards,
Claude


On Friday 22 October 2010 14:52:36 Andreas Steffen wrote:
> I remember that the default banner "Welcome to Linux strongSwan"
> always worked with the Cisco client, though.
> 
> Regards
> 
> Andreas
> 
>  On 22.10.2010 14:29, Claude Tompers wrote:
> > Hello Andreas,
> > 
> > They all fail, as soon as I set one of them (unity_def_domain /
> > banner / unity_split_include). Cisco client says "Negotiating
> > security policies" and it fails. If I don't have any of those
> > attributes set, it immediately passes on to saying "Securing channel
> > communication" and succeeds.
> > 
> > kind regards, Claude
> > 
> > 
> > On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
> >> Hello Claude,
> >> 
> >> it is not evident from the log which attribute[s] the Cisco VPN
> >> client doesn't like. I recommend to remove all Cisco_Unity
> >> attributes from the SQLite database keeping only the virtual IP so
> >> that the negotiation goes on to Quick Mode and then add back the
> >> attributes one-by-one until ModeCfg fails so that the actual error
> >> can be identified.
> >> 
> >> I just know that Astaro got the split tunneling working since we
> >> jointly developed the attr-sql functionality but I didn't test the
> >> interoperability with the Chisco client myself.
> >> 
> >> Regards
> >> 
> >> Andreas
> >> 
> >> On 22.10.2010 11:40, Claude Tompers wrote:
> >>> I attached the Ciso log. I think the interesting part starts at
> >>> message 24.
> >>> 
> >>> kind regards, Claude
> >>> 
> >>> 
> >>> On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
> >>>> Hmmm, it seems that the Cisco client doesn't like strongSwan's
> >>>> ModeCfg reply containing all these Cisco Unity attributes
> >>>> because it just keeps retransmitting the ModeCfg request. Could
> >>>> you find out what errors occur in the Cisco log?
> >>>> 
> >>>> Regards
> >>>> 
> >>>> Andreas
> >>>> 
> >>>> On 22.10.2010 10:48, Claude Tompers wrote:
> >>>>> Hi Andreas,
> >>>>> 
> >>>>> Setting the leftsubnet did not work. You can find the pluto
> >>>>> log attached.
> >>>>> 
> >>>>> thank you Claude
> >>>>> 
> >>>>> 
> >>>>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
> >>>>>> Hello Claude,
> >>>>>> 
> >>>>>> could you provide some pluto logs with
> >>>>>> 
> >>>>>> plutodebug=all
> >>>>>> 
> >>>>>> set in ipsec.conf?
> >>>>>> 
> >>>>>> Regards
> >>>>>> 
> >>>>>> Andreas
> >>>>>> 
> >>>>>> BTW On second thought leftsubnet on the strongSwan gateway 
> >>>>>> should be set to the subnet communicated the Cisco client
> >>>>>> via the unity_split_include attribute since the client will
> >>>>>> probably used them during Quick Mode. I don't know if
> >>>>>> multiple subnets will cause several Quick Modes to be set
> >>>>>> up, though.
> >>>>>> 
> >>>>>> Regards
> >>>>>> 
> >>>>>> Andreas
> >>>>>> 
> >>>>>> On 22.10.2010 09:55, Claude Tompers wrote:
> >>>>>>> Hello Andreas,
> >>>>>>> 
> >>>>>>> Thank you for your quick reply. Sadly, it does not work,
> >>>>>>> but I think we're on the right path. The Cisco client
> >>>>>>> tells me "Negotiating security policies" before it stops
> >>>>>>> silently. On the other side, I don't see much in the
> >>>>>>> pluto logs. Any ideas ?
> >>>>>>> 
> >>>>>>> kind regards, Claude
> >>>>>>> 
> >>>>>>> 
> >>>>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen
> >>>>>>> wrote:
> >>>>>>>> Hello Claude,
> >>>>>>>> 
> >>>>>>>> yes it should be possible with the Cisco_Unity
> >>>>>>>> functionality added to the attr-sql plugin with
> >>>>>>>> strongswan-4.4.1:
> >>>>>>>> 
> >>>>>>>> - Enable the attr-sql and sqlite plugins
> >>>>>>>> 
> >>>>>>>> ./configure ... --enable-sqlite --enable-attr-sql
> >>>>>>>> 
> >>>>>>>> - Create an SQLite database:
> >>>>>>>> 
> >>>>>>>> cat
> >>>>>>>> strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
> >>>>>>>> | sqlite3 /etc/ipsec.d/ipsec.db
> >>>>>>>> 
> >>>>>>>> - Define the path to the database in strongswan.conf
> >>>>>>>> 
> >>>>>>>> libhydra { plugins { attr-sql { database =
> >>>>>>>> sqlite:///etc/ipsec.d/ipsec.db } } }
> >>>>>>>> 
> >>>>>>>> - Create a virtual IP pool in the database using the
> >>>>>>>> ipsec pool tool
> >>>>>>>> 
> >>>>>>>> ipsec pool -add mypool --start 10.3.0.1 --end
> >>>>>>>> 10.3.0.254 --timeout 48
> >>>>>>>> 
> >>>>>>>> - Add internal DNS and WINS servers
> >>>>>>>> 
> >>>>>>>> ipsec pool --addattr dns  --server 10.1.0.10 ipsec pool
> >>>>>>>> --addattr dns  --server 10.1.1.10 ipsec pool --addattr
> >>>>>>>> nbns --server 10.1.0.20 ipsec pool --addattr nbns
> >>>>>>>> --server 10.1.1.20
> >>>>>>>> 
> >>>>>>>> - Add default domain
> >>>>>>>> 
> >>>>>>>> ipsec pool --addattr unity_def_domain  --string
> >>>>>>>> "strongswan.org"
> >>>>>>>> 
> >>>>>>>> - Add welcome banner
> >>>>>>>> 
> >>>>>>>> ipsec pool --addattr banner --string "The network will
> >>>>>>>> be down from 6-8 pm"
> >>>>>>>> 
> >>>>>>>> - Add split tunneling subnets !!!
> >>>>>>>> 
> >>>>>>>> ipsec pool --addattr unity_split_include --subnet 
> >>>>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
> >>>>>>>> 
> >>>>>>>> - List all configured attributes
> >>>>>>>> 
> >>>>>>>> ipsec pool --statusattr
> >>>>>>>> 
> >>>>>>>> - Configure the pool in ipsec.conf
> >>>>>>>> 
> >>>>>>>> conn rw-cisco right=%any rightsourceip=%mypool 
> >>>>>>>> leftsubnet=0.0.0.0/0
> >>>>>>>> 
> >>>>>>>> I haven't actually tested this with the Cisco VPN
> >>>>>>>> Client but it should work so that only traffic to the
> >>>>>>>> 10.1.0.0/16 and 10.3.5.0/24 networks are tunneled.
> >>>>>>>> 
> >>>>>>>> Regards
> >>>>>>>> 
> >>>>>>>> Andreas
> >>>>>>>> 
> >>>>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
> >>>>>>>>> Hello,
> >>>>>>>>> 
> >>>>>>>>> Is it possible to do split tunneling with CISCO VPN
> >>>>>>>>> client and pluto so that a road-warrior is still able
> >>>>>>>>> to access i.e. printers in his local network ?
> >>>>>>>>> 
> >>>>>>>>> kind regards Claude
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101022/13d13379/attachment.pgp>

More information about the Users mailing list