[strongSwan] Split tunneling

Claude Tompers claude.tompers at restena.lu
Mon Oct 25 08:19:32 CEST 2010


Hello Andreas,

Sorry for not answering last week anymore, I was already off work.
For the banner, things start getting very odd.

It works if I don't define a banner. (nobanner.log)
It works if I redefine the same strongswan banner. (except for a \ that slipped in before the !) (std_banner.log)
It does not work if I define my own banner. (Welcome to RESTENA VPN.) (custom_banner.log)

kind regards,
Claude



On Friday 22 October 2010 17:08:09 Andreas Steffen wrote:
> Yes, could you send me the detailed logs for a run with the default
> banner and with the default banner defined in attr-sql? The ModeCfg
> payload should be exactly the same.
> 
> Regards
> 
> Andreas
> 
> On 22.10.2010 16:43, Claude Tompers wrote:
> > Is that something you are going to look into ? Maybe a bug ?
> > 
> > Claude
> > 
> > 
> > On Friday 22 October 2010 16:08:29 Andreas Steffen wrote:
> >> Yep, I have the suspicion that there might be an issue with either
> >> the attribute or total packet length.
> >>
> >> Andreas
> >>
> >> On 22.10.2010 15:47, Claude Tompers wrote:
> >>> So strongswan should send the exact same message, except for the actual string ?
> >>>
> >>>
> >>> On Friday 22 October 2010 15:37:46 Andreas Steffen wrote:
> >>>> But if you replace the standard banner by one defined via attr-sql,
> >>>> it fails? Strange!
> >>>>
> >>>> On 22.10.2010 15:04, Claude Tompers wrote:
> >>>>> It still does, if I do not set the attribute, I see the "standard" banner.
> >>>>>
> >>>>> regards,
> >>>>> Claude
> >>>>>
> >>>>>
> >>>>> On Friday 22 October 2010 14:52:36 Andreas Steffen wrote:
> >>>>>> I remember that the default banner "Welcome to Linux strongSwan"
> >>>>>> always worked with the Cisco client, though.
> >>>>>>
> >>>>>> Regards
> >>>>>>
> >>>>>> Andreas
> >>>>>>
> >>>>>>  On 22.10.2010 14:29, Claude Tompers wrote:
> >>>>>>> Hello Andreas,
> >>>>>>>
> >>>>>>> They all fail, as soon as I set one of them (unity_def_domain /
> >>>>>>> banner / unity_split_include). Cisco client says "Negotiating
> >>>>>>> security policies" and it fails. If I don't have any of those
> >>>>>>> attributes set, it immediately passes on to saying "Securing channel
> >>>>>>> communication" and succeeds.
> >>>>>>>
> >>>>>>> kind regards, Claude
> >>>>>>>
> >>>>>>>
> >>>>>>> On Friday 22 October 2010 14:06:55 Andreas Steffen wrote:
> >>>>>>>> Hello Claude,
> >>>>>>>>
> >>>>>>>> it is not evident from the log which attribute[s] the Cisco VPN
> >>>>>>>> client doesn't like. I recommend to remove all Cisco_Unity
> >>>>>>>> attributes from the SQLite database keeping only the virtual IP so
> >>>>>>>> that the negotiation goes on to Quick Mode and then add back the
> >>>>>>>> attributes one-by-one until ModeCfg fails so that the actual error
> >>>>>>>> can be identified.
> >>>>>>>>
> >>>>>>>> I just know that Astaro got the split tunneling working since we
> >>>>>>>> jointly developed the attr-sql functionality but I didn't test the
> >>>>>>>> interoperability with the Chisco client myself.
> >>>>>>>>
> >>>>>>>> Regards
> >>>>>>>>
> >>>>>>>> Andreas
> >>>>>>>>
> >>>>>>>> On 22.10.2010 11:40, Claude Tompers wrote:
> >>>>>>>>> I attached the Ciso log. I think the interesting part starts at
> >>>>>>>>> message 24.
> >>>>>>>>>
> >>>>>>>>> kind regards, Claude
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
> >>>>>>>>>> Hmmm, it seems that the Cisco client doesn't like strongSwan's
> >>>>>>>>>> ModeCfg reply containing all these Cisco Unity attributes
> >>>>>>>>>> because it just keeps retransmitting the ModeCfg request. Could
> >>>>>>>>>> you find out what errors occur in the Cisco log?
> >>>>>>>>>>
> >>>>>>>>>> Regards
> >>>>>>>>>>
> >>>>>>>>>> Andreas
> >>>>>>>>>>
> >>>>>>>>>> On 22.10.2010 10:48, Claude Tompers wrote:
> >>>>>>>>>>> Hi Andreas,
> >>>>>>>>>>>
> >>>>>>>>>>> Setting the leftsubnet did not work. You can find the pluto
> >>>>>>>>>>> log attached.
> >>>>>>>>>>>
> >>>>>>>>>>> thank you Claude
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
> >>>>>>>>>>>> Hello Claude,
> >>>>>>>>>>>>
> >>>>>>>>>>>> could you provide some pluto logs with
> >>>>>>>>>>>>
> >>>>>>>>>>>> plutodebug=all
> >>>>>>>>>>>>
> >>>>>>>>>>>> set in ipsec.conf?
> >>>>>>>>>>>>
> >>>>>>>>>>>> Regards
> >>>>>>>>>>>>
> >>>>>>>>>>>> Andreas
> >>>>>>>>>>>>
> >>>>>>>>>>>> BTW On second thought leftsubnet on the strongSwan gateway 
> >>>>>>>>>>>> should be set to the subnet communicated the Cisco client
> >>>>>>>>>>>> via the unity_split_include attribute since the client will
> >>>>>>>>>>>> probably used them during Quick Mode. I don't know if
> >>>>>>>>>>>> multiple subnets will cause several Quick Modes to be set
> >>>>>>>>>>>> up, though.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Regards
> >>>>>>>>>>>>
> >>>>>>>>>>>> Andreas
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 22.10.2010 09:55, Claude Tompers wrote:
> >>>>>>>>>>>>> Hello Andreas,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thank you for your quick reply. Sadly, it does not work,
> >>>>>>>>>>>>> but I think we're on the right path. The Cisco client
> >>>>>>>>>>>>> tells me "Negotiating security policies" before it stops
> >>>>>>>>>>>>> silently. On the other side, I don't see much in the
> >>>>>>>>>>>>> pluto logs. Any ideas ?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> kind regards, Claude
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Thursday 21 October 2010 12:22:56 Andreas Steffen
> >>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>> Hello Claude,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> yes it should be possible with the Cisco_Unity
> >>>>>>>>>>>>>> functionality added to the attr-sql plugin with
> >>>>>>>>>>>>>> strongswan-4.4.1:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Enable the attr-sql and sqlite plugins
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ./configure ... --enable-sqlite --enable-attr-sql
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Create an SQLite database:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> cat
> >>>>>>>>>>>>>> strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql
> >>>>>>>>>>>>>> | sqlite3 /etc/ipsec.d/ipsec.db
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Define the path to the database in strongswan.conf
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> libhydra { plugins { attr-sql { database =
> >>>>>>>>>>>>>> sqlite:///etc/ipsec.d/ipsec.db } } }
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Create a virtual IP pool in the database using the
> >>>>>>>>>>>>>> ipsec pool tool
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ipsec pool -add mypool --start 10.3.0.1 --end
> >>>>>>>>>>>>>> 10.3.0.254 --timeout 48
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Add internal DNS and WINS servers
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ipsec pool --addattr dns  --server 10.1.0.10 ipsec pool
> >>>>>>>>>>>>>> --addattr dns  --server 10.1.1.10 ipsec pool --addattr
> >>>>>>>>>>>>>> nbns --server 10.1.0.20 ipsec pool --addattr nbns
> >>>>>>>>>>>>>> --server 10.1.1.20
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Add default domain
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ipsec pool --addattr unity_def_domain  --string
> >>>>>>>>>>>>>> "strongswan.org"
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Add welcome banner
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ipsec pool --addattr banner --string "The network will
> >>>>>>>>>>>>>> be down from 6-8 pm"
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Add split tunneling subnets !!!
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ipsec pool --addattr unity_split_include --subnet 
> >>>>>>>>>>>>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - List all configured attributes
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ipsec pool --statusattr
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> - Configure the pool in ipsec.conf
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> conn rw-cisco right=%any rightsourceip=%mypool 
> >>>>>>>>>>>>>> leftsubnet=0.0.0.0/0
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> I haven't actually tested this with the Cisco VPN
> >>>>>>>>>>>>>> Client but it should work so that only traffic to the
> >>>>>>>>>>>>>> 10.1.0.0/16 and 10.3.5.0/24 networks are tunneled.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Regards
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Andreas
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> On 21.10.2010 10:57, Claude Tompers wrote:
> >>>>>>>>>>>>>>> Hello,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Is it possible to do split tunneling with CISCO VPN
> >>>>>>>>>>>>>>> client and pluto so that a road-warrior is still able
> >>>>>>>>>>>>>>> to access i.e. printers in his local network ?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> kind regards Claude
> >>>>>>
> >>>>>> ======================================================================
> >>>>>> Andreas Steffen                         andreas.steffen at strongswan.org
> >>>>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
> >>>>>> Institute for Internet Technologies and Applications
> >>>>>> University of Applied Sciences Rapperswil
> >>>>>> CH-8640 Rapperswil (Switzerland)
> >>>>>> ===========================================================[ITA-HSR]==
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >>
> > 
> 
> 
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: custom_banner.log
Type: text/x-log
Size: 277272 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101025/54f5d9d7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nobanner.log
Type: text/x-log
Size: 294953 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101025/54f5d9d7/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: std_banner.log
Type: text/x-log
Size: 303216 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101025/54f5d9d7/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101025/54f5d9d7/attachment.pgp>


More information about the Users mailing list