[strongSwan] Strongswan + OS X (Cisco IPsec) + default route?
max_allan at hotmail.com
Fri Aug 24 13:08:03 CEST 2012
In your search for a cleaner way, almost anything will probably be cleaner than the default activity, which seems to be to add an individual route for every other IP address you try to connect to. After a minute or so, this is the top of my routing table :
Destination Gateway Flags Refs Use Netif Expiredefault utun0 UCS 16 0 utun0default 192.168.1.10 UGScI 12 0 en184.108.40.206 utun0 UHWIi 25 211 utun010.66.2.2 utun0 UHW3Ii 0 9 utun010.66.3.78 utun0 UHW3Ii 0 9 utun010.66.4.147 utun0 UHW3Ii 0 9 utun010.66.54.21 utun0 UHWIi 2 49 utun010.100.255.1 10.100.255.1 UH 1 36 utun017.72.255.11 utun0 UHWIi 1 3 utun065.55.223.14 utun0 UHW3Ii 0 3 utun093.97.103.209 utun0 UHW3Ii 0 6 utun0 8220.127.116.11 utun0 UHW3Ii 0 3 utun0 318.104.22.168 utun0 UHW3Ii 0 6 utun0127 127.0.0.1 UCS 0 0 lo0127.0.0.1 127.0.0.1 UH 4 22033 lo022.214.171.124 utun0 UHW3Ii 0 3 utun0126.96.36.199 utun0 UHW3Ii 0 3 utun0188.8.131.52 utun0 UHWIi 1 2 utun0184.108.40.206 utun0 UHW3Ii 0 3 utun0220.127.116.11 utun0 UHW3Ii 0 3 utun0......
The original default route is still there (192.168.1.10), but the other one comes first, so gets used.Then every other host I connect to whether on a private or public subnet, gets a new entry. I don't think there is anything that times them out either. So after a few hours, you're going to have a massive routing table and I would expect the machine would slow down a bit.
My organisation are 100% mac based and we wanted a split VPN with direct internet access and access to a private network over VPN. I have a StrongSwan config that does that fine on Windows/Linux but everything goes over the VPN on OSX. :-(You might want to consider tunnelblick and OpenVPN instead of IPsec VPNs for OSX. Unfortunately that's not available for iPhone/iPad users.
If the Cisco extensions could help, then I'll add a +1 to that feature request ;-)
> From: martin at strongswan.org
> To: insyte at gmail.com
> Date: Fri, 24 Aug 2012 10:44:05 +0200
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + OS X (Cisco IPsec) + default route?
> Hi Ben,
> > I've found a few hacks that require installing custom applescript to
> > override the default route, but I'm hoping there's a cleaner, better
> > way. Any suggestions?
> The best way to set up split tunneling with OS X is to use the Cisco
> Unity extensions. These allow you to define (on the responder) which
> subnets to include into the tunnel, but we currently don't support them.
> We might bring support for it in a future release, but not sure yet when
> this will happen.
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users