[strongSwan] Strongswan + OS X (Cisco IPsec) + default route?

Max Allan max_allan at hotmail.com
Fri Aug 24 13:08:03 CEST 2012

Hi Ben,
In your search for a cleaner way, almost anything will probably be cleaner than the default activity, which seems to be to add an individual route for every other IP address you try to connect to. After a minute or so, this is the top of my routing table :
Destination        Gateway            Flags        Refs      Use   Netif Expiredefault            utun0              UCS            16        0   utun0default         UGScI          12        0     en110.66.0.2          utun0              UHWIi          25      211   utun010.66.2.2         utun0              UHW3Ii          0        9   utun010.66.3.78         utun0              UHW3Ii          0        9   utun010.66.4.147        utun0              UHW3Ii          0        9   utun010.66.54.21       utun0              UHWIi           2       49   utun010.100.255.1       UH              1       36   utun017.72.255.11       utun0              UHWIi           1        3   utun065.55.223.14       utun0              UHW3Ii          0        3   utun093.97.103.209      utun0              UHW3Ii          0        6   utun0      8111.221.74.14      utun0              UHW3Ii          0        3   utun0      3111.221.74.27      utun0              UHW3Ii          0        6   utun0127                UCS             0        0     lo0127.0.0.1          UH              4    22033     lo0157.55.56.145      utun0              UHW3Ii          0        3   utun0157.55.130.143     utun0              UHW3Ii          0        3   utun0157.55.130.157     utun0              UHWIi           1        2   utun0157.55.235.142     utun0              UHW3Ii          0        3   utun0157.56.52.15       utun0              UHW3Ii          0        3   utun0......
The original default route is still there (, but the other one comes first, so gets used.Then every other host I connect to whether on a private or public subnet, gets a new entry. I don't think there is anything that times them out either. So after a few hours, you're going to have a massive routing table and I would expect the machine would slow down a bit.
My organisation are 100% mac based and we wanted a split VPN with direct internet access and access to a private network over VPN. I have a StrongSwan config that does that fine on Windows/Linux but everything goes over the VPN on OSX. :-(You might want to consider tunnelblick and OpenVPN instead of IPsec VPNs for OSX. Unfortunately that's not available for iPhone/iPad users.
If the Cisco extensions could help, then I'll add a +1 to that feature request ;-)

> From: martin at strongswan.org
> To: insyte at gmail.com
> Date: Fri, 24 Aug 2012 10:44:05 +0200
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan] Strongswan + OS X (Cisco IPsec) + default route?
> Hi Ben,
> > I've found a few hacks that require installing custom applescript to
> > override the default route, but I'm hoping there's a cleaner, better
> > way. Any suggestions?
> The best way to set up split tunneling with OS X is to use the Cisco
> Unity extensions. These allow you to define (on the responder) which
> subnets to include into the tunnel, but we currently don't support them.
> We might bring support for it in a future release, but not sure yet when
> this will happen.
> Regards
> Martin
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120824/7df36b5b/attachment.html>

More information about the Users mailing list