[strongSwan] Guidance on split-exclude when using Unity plugin

kgardenia42 kgardenia42 at googlemail.com
Fri Feb 1 15:42:09 CET 2013


On Fri, Feb 1, 2013 at 11:02 AM, Martin Willi <martin at strongswan.org> wrote:
> Hi,
>
>> I have a VPN (strongswwan 5.0.2) which is a gateway for all traffic
>> (IOS devices, ikev1).  I would like to exclude certain "sites" (aka
>> hostnames) from that.
>
> As far as I know, split-exclude does not work with iOS clients. It works
> with OS X, but unfortunately not with iOS or the native Android client.
> Split-include works fine with iOS.

ok.  I'd like to establish that either way (about IOS clients) with
this experiment and can report back a definitive statement on it.

>
>> I have replicated this on both IOS clients and an Ubuntu strongswan
>> client.
>
> What version of strongSwan was running on Ubuntu? You'll require at
> least 5.0.1 with the unity plugin enabled to get split-include/exclude
> working. How does the routing table look like (ip route show table 220),
> and what policies get installed (ipsec statusall, ip xfrm policy)?

I upgraded to 5.0.2 on the Ubuntu client yesterday before sending the
last mail.  The following is from the client machine with the VPN
tunnel up and the discussed exclusion for www.2600.com:

> ip route show table 220
default via 192.168.0.1 dev wlan0  proto static  src 10.0.0.1

> ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.2, Linux 3.2.0-36-generic, x86_64):
  uptime: 3 hours, since Feb 01 11:06:34 2013
  malloc: sbrk 270336, mmap 0, used 220800, free 49536
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
stroke updown xauth-generic unity
Listening IP addresses:
  192.168.0.2
Connections:
         ios:  %any...vpn.xxx.com  IKEv1
         ios:   local:  [C=US, O=strongSwan,
CN=a508db4b-e99b-99b5-9b55-b556aa976e0b] uses public key
authentication
         ios:    cert:  "C=US, O=strongSwan,
CN=a508db4b-e99b-99b5-9b55-b556aa976e0b"
         ios:   local:  uses XAuth authentication: any with XAuth identity 'xxx'
         ios:   remote: [C=CH, O=strongSwan, CN=vpn.xxx.com] uses
public key authentication
         ios:   child:  dynamic === 0.0.0.0/0 TUNNEL

Shunted Connections:
Unity (ios[1]: 207.99.30.226/32):  10.0.0.1/32 === 207.99.30.226/32 PASS
Security Associations (1 up, 0 connecting):
         ios[1]: ESTABLISHED 85 seconds ago, 192.168.0.2[C=US,
O=strongSwan, CN=a508db4b-e99b-99b5-9b55-b556aa976e0b]...54.54.54.54[C=CH,
O=strongSwan, CN=vpn.xxx.com]
         ios[1]: IKEv1 SPIs: f6bf9950bebd3f4b_i* eb4709602ffb77e6_r,
rekeying disabled
         ios[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
         ios{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c1678574_i c6c3f6e6_o
         ios{1}:  AES_CBC_128/HMAC_SHA1_96, 25893 bytes_i (1s ago),
35676 bytes_o (4s ago), rekeying disabled
         ios{1}:   10.0.0.1/32 === 0.0.0.0/0

> ip xfrm policy

src 0.0.0.0/0 dst 10.0.0.1/32
	dir fwd priority 1923
	tmpl src 54.228.4.239 dst 192.168.0.2
		proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 10.0.0.1/32
	dir in priority 1923
	tmpl src 54.228.4.239 dst 192.168.0.2
		proto esp reqid 1 mode tunnel
src 10.0.0.1/32 dst 0.0.0.0/0
	dir out priority 1923
	tmpl src 192.168.0.2 dst 54.228.4.239
		proto esp reqid 1 mode tunnel
src 207.99.30.226/32 dst 10.0.0.1/32
	dir fwd priority 1795
src 207.99.30.226/32 dst 10.0.0.1/32
	dir in priority 1795
src 10.0.0.1/32 dst 207.99.30.226/32
	dir out priority 1795
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0
src ::/0 dst ::/0
	socket in priority 0
src ::/0 dst ::/0
	socket out priority 0
src ::/0 dst ::/0
	socket in priority 0
src ::/0 dst ::/0
	socket out priority 0

Thanks.




More information about the Users mailing list