[strongSwan] Split tunneling

Andreas Steffen andreas.steffen at strongswan.org
Fri Oct 22 15:37:46 CEST 2010


But if you replace the standard banner by one defined via attr-sql,
it fails? Strange!

On 22.10.2010 15:04, Claude Tompers wrote:
> It still does, if I do not set the attribute, I see the "standard" banner.
> 
> regards,
> Claude
> 
> 
> On Friday 22 October 2010 14:52:36 Andreas Steffen wrote:
>> I remember that the default banner "Welcome to Linux strongSwan"
>> always worked with the Cisco client, though.
>>
>> Regards
>>
>> Andreas
>>
>>  On 22.10.2010 14:29, Claude Tompers wrote:
>>> Hello Andreas,
>>>
>>> They all fail, as soon as I set one of them (unity_def_domain /
>>> banner / unity_split_include). Cisco client says "Negotiating
>>> security policies" and it fails. If I don't have any of those
>>> attributes set, it immediately passes on to saying "Securing channel
>>> communication" and succeeds.
>>>
>>> kind regards, Claude
>>>
>>>
>>> On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
>>>> Hello Claude,
>>>>
>>>> it is not evident from the log which attribute[s] the Cisco VPN
>>>> client doesn't like. I recommend to remove all Cisco_Unity
>>>> attributes from the SQLite database keeping only the virtual IP so
>>>> that the negotiation goes on to Quick Mode and then add back the
>>>> attributes one-by-one until ModeCfg fails so that the actual error
>>>> can be identified.
>>>>
>>>> I just know that Astaro got the split tunneling working since we
>>>> jointly developed the attr-sql functionality but I didn't test the
>>>> interoperability with the Chisco client myself.
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 22.10.2010 11:40, Claude Tompers wrote:
>>>>> I attached the Ciso log. I think the interesting part starts at
>>>>> message 24.
>>>>>
>>>>> kind regards, Claude
>>>>>
>>>>>
>>>>> On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
>>>>>> Hmmm, it seems that the Cisco client doesn't like strongSwan's
>>>>>> ModeCfg reply containing all these Cisco Unity attributes
>>>>>> because it just keeps retransmitting the ModeCfg request. Could
>>>>>> you find out what errors occur in the Cisco log?
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> On 22.10.2010 10:48, Claude Tompers wrote:
>>>>>>> Hi Andreas,
>>>>>>>
>>>>>>> Setting the leftsubnet did not work. You can find the pluto
>>>>>>> log attached.
>>>>>>>
>>>>>>> thank you Claude
>>>>>>>
>>>>>>>
>>>>>>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
>>>>>>>> Hello Claude,
>>>>>>>>
>>>>>>>> could you provide some pluto logs with
>>>>>>>>
>>>>>>>> plutodebug=all
>>>>>>>>
>>>>>>>> set in ipsec.conf?
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Andreas
>>>>>>>>
>>>>>>>> BTW On second thought leftsubnet on the strongSwan gateway 
>>>>>>>> should be set to the subnet communicated the Cisco client
>>>>>>>> via the unity_split_include attribute since the client will
>>>>>>>> probably used them during Quick Mode. I don't know if
>>>>>>>> multiple subnets will cause several Quick Modes to be set
>>>>>>>> up, though.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Andreas
>>>>>>>>
>>>>>>>> On 22.10.2010 09:55, Claude Tompers wrote:
>>>>>>>>> Hello Andreas,
>>>>>>>>>
>>>>>>>>> Thank you for your quick reply. Sadly, it does not work,
>>>>>>>>> but I think we're on the right path. The Cisco client
>>>>>>>>> tells me "Negotiating security policies" before it stops
>>>>>>>>> silently. On the other side, I don't see much in the
>>>>>>>>> pluto logs. Any ideas ?
>>>>>>>>>
>>>>>>>>> kind regards, Claude
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen
>>>>>>>>> wrote:
>>>>>>>>>> Hello Claude,
>>>>>>>>>>
>>>>>>>>>> yes it should be possible with the Cisco_Unity
>>>>>>>>>> functionality added to the attr-sql plugin with
>>>>>>>>>> strongswan-4.4.1:
>>>>>>>>>>
>>>>>>>>>> - Enable the attr-sql and sqlite plugins
>>>>>>>>>>
>>>>>>>>>> ./configure ... --enable-sqlite --enable-attr-sql
>>>>>>>>>>
>>>>>>>>>> - Create an SQLite database:
>>>>>>>>>>
>>>>>>>>>> cat
>>>>>>>>>> strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
>>>>>>>>>> | sqlite3 /etc/ipsec.d/ipsec.db
>>>>>>>>>>
>>>>>>>>>> - Define the path to the database in strongswan.conf
>>>>>>>>>>
>>>>>>>>>> libhydra { plugins { attr-sql { database =
>>>>>>>>>> sqlite:///etc/ipsec.d/ipsec.db } } }
>>>>>>>>>>
>>>>>>>>>> - Create a virtual IP pool in the database using the
>>>>>>>>>> ipsec pool tool
>>>>>>>>>>
>>>>>>>>>> ipsec pool -add mypool --start 10.3.0.1 --end
>>>>>>>>>> 10.3.0.254 --timeout 48
>>>>>>>>>>
>>>>>>>>>> - Add internal DNS and WINS servers
>>>>>>>>>>
>>>>>>>>>> ipsec pool --addattr dns  --server 10.1.0.10 ipsec pool
>>>>>>>>>> --addattr dns  --server 10.1.1.10 ipsec pool --addattr
>>>>>>>>>> nbns --server 10.1.0.20 ipsec pool --addattr nbns
>>>>>>>>>> --server 10.1.1.20
>>>>>>>>>>
>>>>>>>>>> - Add default domain
>>>>>>>>>>
>>>>>>>>>> ipsec pool --addattr unity_def_domain  --string
>>>>>>>>>> "strongswan.org"
>>>>>>>>>>
>>>>>>>>>> - Add welcome banner
>>>>>>>>>>
>>>>>>>>>> ipsec pool --addattr banner --string "The network will
>>>>>>>>>> be down from 6-8 pm"
>>>>>>>>>>
>>>>>>>>>> - Add split tunneling subnets !!!
>>>>>>>>>>
>>>>>>>>>> ipsec pool --addattr unity_split_include --subnet 
>>>>>>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
>>>>>>>>>>
>>>>>>>>>> - List all configured attributes
>>>>>>>>>>
>>>>>>>>>> ipsec pool --statusattr
>>>>>>>>>>
>>>>>>>>>> - Configure the pool in ipsec.conf
>>>>>>>>>>
>>>>>>>>>> conn rw-cisco right=%any rightsourceip=%mypool 
>>>>>>>>>> leftsubnet=0.0.0.0/0
>>>>>>>>>>
>>>>>>>>>> I haven't actually tested this with the Cisco VPN
>>>>>>>>>> Client but it should work so that only traffic to the
>>>>>>>>>> 10.1.0.0/16 and 10.3.5.0/24 networks are tunneled.
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Andreas
>>>>>>>>>>
>>>>>>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> Is it possible to do split tunneling with CISCO VPN
>>>>>>>>>>> client and pluto so that a road-warrior is still able
>>>>>>>>>>> to access i.e. printers in his local network ?
>>>>>>>>>>>
>>>>>>>>>>> kind regards Claude
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list