[strongSwan] Split tunneling

Fri Oct 22 17:08:09 CEST 2010

Yes, could you send me the detailed logs for a run with the default
banner and with the default banner defined in attr-sql? The ModeCfg
payload should be exactly the same.

Regards

Andreas

On 22.10.2010 16:43, Claude Tompers wrote:
> Is that something you are going to look into ? Maybe a bug ?
> 
> Claude
> 
> 
> On Friday 22 October 2010 16:08:29 Andreas Steffen wrote:
>> Yep, I have the suspicion that there might be an issue with either
>> the attribute or total packet length.
>>
>> Andreas
>>
>> On 22.10.2010 15:47, Claude Tompers wrote:
>>> So strongswan should send the exact same message, except for the actual string ?
>>>
>>>
>>> On Friday 22 October 2010 15:37:46 Andreas Steffen wrote:
>>>> But if you replace the standard banner by one defined via attr-sql,
>>>> it fails? Strange!
>>>>
>>>> On 22.10.2010 15:04, Claude Tompers wrote:
>>>>> It still does, if I do not set the attribute, I see the "standard" banner.
>>>>>
>>>>> regards,
>>>>> Claude
>>>>>
>>>>>
>>>>> On Friday 22 October 2010 14:52:36 Andreas Steffen wrote:
>>>>>> I remember that the default banner "Welcome to Linux strongSwan"
>>>>>> always worked with the Cisco client, though.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>>  On 22.10.2010 14:29, Claude Tompers wrote:
>>>>>>> Hello Andreas,
>>>>>>>
>>>>>>> They all fail, as soon as I set one of them (unity_def_domain /
>>>>>>> banner / unity_split_include). Cisco client says "Negotiating
>>>>>>> security policies" and it fails. If I don't have any of those
>>>>>>> attributes set, it immediately passes on to saying "Securing channel
>>>>>>> communication" and succeeds.
>>>>>>>
>>>>>>> kind regards, Claude
>>>>>>>
>>>>>>>
>>>>>>> On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
>>>>>>>> Hello Claude,
>>>>>>>>
>>>>>>>> it is not evident from the log which attribute[s] the Cisco VPN
>>>>>>>> client doesn't like. I recommend to remove all Cisco_Unity
>>>>>>>> attributes from the SQLite database keeping only the virtual IP so
>>>>>>>> that the negotiation goes on to Quick Mode and then add back the
>>>>>>>> attributes one-by-one until ModeCfg fails so that the actual error
>>>>>>>> can be identified.
>>>>>>>>
>>>>>>>> I just know that Astaro got the split tunneling working since we
>>>>>>>> jointly developed the attr-sql functionality but I didn't test the
>>>>>>>> interoperability with the Chisco client myself.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Andreas
>>>>>>>>
>>>>>>>> On 22.10.2010 11:40, Claude Tompers wrote:
>>>>>>>>> I attached the Ciso log. I think the interesting part starts at
>>>>>>>>> message 24.
>>>>>>>>>
>>>>>>>>> kind regards, Claude
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
>>>>>>>>>> Hmmm, it seems that the Cisco client doesn't like strongSwan's
>>>>>>>>>> ModeCfg reply containing all these Cisco Unity attributes
>>>>>>>>>> because it just keeps retransmitting the ModeCfg request. Could
>>>>>>>>>> you find out what errors occur in the Cisco log?
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Andreas
>>>>>>>>>>
>>>>>>>>>> On 22.10.2010 10:48, Claude Tompers wrote:
>>>>>>>>>>> Hi Andreas,
>>>>>>>>>>>
>>>>>>>>>>> Setting the leftsubnet did not work. You can find the pluto
>>>>>>>>>>> log attached.
>>>>>>>>>>>
>>>>>>>>>>> thank you Claude
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
>>>>>>>>>>>> Hello Claude,
>>>>>>>>>>>>
>>>>>>>>>>>> could you provide some pluto logs with
>>>>>>>>>>>>
>>>>>>>>>>>> plutodebug=all
>>>>>>>>>>>>
>>>>>>>>>>>> set in ipsec.conf?
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>> Andreas
>>>>>>>>>>>>
>>>>>>>>>>>> BTW On second thought leftsubnet on the strongSwan gateway 
>>>>>>>>>>>> should be set to the subnet communicated the Cisco client
>>>>>>>>>>>> via the unity_split_include attribute since the client will
>>>>>>>>>>>> probably used them during Quick Mode. I don't know if
>>>>>>>>>>>> multiple subnets will cause several Quick Modes to be set
>>>>>>>>>>>> up, though.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>> Andreas
>>>>>>>>>>>>
>>>>>>>>>>>> On 22.10.2010 09:55, Claude Tompers wrote:
>>>>>>>>>>>>> Hello Andreas,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you for your quick reply. Sadly, it does not work,
>>>>>>>>>>>>> but I think we're on the right path. The Cisco client
>>>>>>>>>>>>> tells me "Negotiating security policies" before it stops
>>>>>>>>>>>>> silently. On the other side, I don't see much in the
>>>>>>>>>>>>> pluto logs. Any ideas ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> kind regards, Claude
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> Hello Claude,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> yes it should be possible with the Cisco_Unity
>>>>>>>>>>>>>> functionality added to the attr-sql plugin with
>>>>>>>>>>>>>> strongswan-4.4.1:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Enable the attr-sql and sqlite plugins
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ./configure ... --enable-sqlite --enable-attr-sql
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Create an SQLite database:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> cat
>>>>>>>>>>>>>> strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
>>>>>>>>>>>>>> | sqlite3 /etc/ipsec.d/ipsec.db
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Define the path to the database in strongswan.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> libhydra { plugins { attr-sql { database =
>>>>>>>>>>>>>> sqlite:///etc/ipsec.d/ipsec.db } } }
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Create a virtual IP pool in the database using the
>>>>>>>>>>>>>> ipsec pool tool
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipsec pool -add mypool --start 10.3.0.1 --end
>>>>>>>>>>>>>> 10.3.0.254 --timeout 48
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Add internal DNS and WINS servers
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipsec pool --addattr dns  --server 10.1.0.10 ipsec pool
>>>>>>>>>>>>>> --addattr dns  --server 10.1.1.10 ipsec pool --addattr
>>>>>>>>>>>>>> nbns --server 10.1.0.20 ipsec pool --addattr nbns
>>>>>>>>>>>>>> --server 10.1.1.20
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Add default domain
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipsec pool --addattr unity_def_domain  --string
>>>>>>>>>>>>>> "strongswan.org"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Add welcome banner
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipsec pool --addattr banner --string "The network will
>>>>>>>>>>>>>> be down from 6-8 pm"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Add split tunneling subnets !!!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipsec pool --addattr unity_split_include --subnet 
>>>>>>>>>>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - List all configured attributes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ipsec pool --statusattr
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - Configure the pool in ipsec.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> conn rw-cisco right=%any rightsourceip=%mypool 
>>>>>>>>>>>>>> leftsubnet=0.0.0.0/0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I haven't actually tested this with the Cisco VPN
>>>>>>>>>>>>>> Client but it should work so that only traffic to the
>>>>>>>>>>>>>> 10.1.0.0/16 and 10.3.5.0/24 networks are tunneled.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Andreas
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Is it possible to do split tunneling with CISCO VPN
>>>>>>>>>>>>>>> client and pluto so that a road-warrior is still able
>>>>>>>>>>>>>>> to access i.e. printers in his local network ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> kind regards Claude
>>>>>>
>>>>>> ======================================================================
>>>>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>>>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>>>>>> Institute for Internet Technologies and Applications
>>>>>> University of Applied Sciences Rapperswil
>>>>>> CH-8640 Rapperswil (Switzerland)
>>>>>> ===========================================================[ITA-HSR]==
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==