[strongSwan] Need help with StrongSwan & Mac OS X split tunneling
Ken Nelson
ken at cazena.com
Wed Feb 4 22:19:28 CET 2015
I was able to get split-tunneling to work for Mac OS X clients, although it was not very easy or straight-forward. This mail documents the configuration in the event someone else might want to do this and asks the mailing list if there is a better way or if there are any down-sides of this configuration. This configuration was pieced together by doing quite a bit of googling as the StrongSwan documentation in this area is terse (or I missed the Unity attribute documentation).
One downside to this configuration I read is that all connections would get the DNS server address and that is could be more flexibly assigned using rightdns in ipsec.conf on a per connection basis. However, I did not see any way in ipsec.conf to set the DNS search domain along with the server address.
The “cisco_unity = yes” attribute was set in strongswan.d/charon.conf.
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
attr {
# Cisco Unity plugin attributes for IKEv1
split-include = 10.8.64.0/23 # Send only traffic destined to leftsubnet to the tunnel interface
split-exclude = 0.0.0.0/0 # Mac OS X client responsible for routing all non-tunnel traffic elsewhere
dns = 10.8.65.164 # DNS server in leftsubnet
28674 = xyz.internal # UNITY_DEF_DOMAIN attribute to set DNS search domain
}
}
}
#
# Enable the Cisco Unity plugin by adding the following line
# in strongswan.d/charon.conf, if it is not already
#
# cisco_unity = yes
#
include strongswan.d/*.conf
On Jan 26, 2015, at 4:39 PM, Ken Nelson <ken at cazena.com<mailto:ken at cazena.com>> wrote:
Hi,
I’m trying to configure a Linux machine to act as an IPSec VPN gateway, with the first supported clients being Mac OS X road warriors. I want to support split tunneling at the client as I only want traffic destined to certain subnets to be routed to the StrongSwan VPN GW.
The VPN GW software versions:
StrongSwan: 5.2.0-7.el6
Centos 6.6: Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Initial Mac OS X version supported is 10.10.
I read here that the Cisco Unity plugin is needed to support split tunneling for Mac OS X clients using IKEv1.
When I configure strongswan.conf like this:
-bash-4.1# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
cisco_unity = yes
}
include strongswan.d/*.conf
Restart the service:
-bash-4.1# strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.2.0 IPsec [starter]...
I do NOT see unity in the list of plugins:
Jan 26 23:18:43 ip-10-8-64-4 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
When I connect to the VPN GW, it does NOT split tunnel. What am I missing? Is there some other library/RPM required? I installed StrongSwan like this:
$ sudo yum install strongswan
Loaded plugins: fastestmirror, presto
Setting up Install Process
Loading mirror speeds from cached hostfile
* epel:
mirror.symnds.com<http://mirror.symnds.com>
centos | 3.7 kB 00:00
centos/primary_db | 4.6 MB 00:00
Resolving Dependencies
--> Running transaction check
---> Package strongswan.x86_64 0:5.2.0-7.el6 will be installed
--> Processing Dependency: libtspi.so.1()(64bit) for package: strongswan-5.2.0-7.el6.x86_64
--> Running transaction check
---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================
Installing:
strongswan x86_64 5.2.0-7.el6 epel 923 k
Installing for dependencies:
trousers x86_64 0.3.13-2.el6 centos 277 k
Transaction Summary
=================================================================================================================================================
Install 2 Package(s)
Total download size: 1.2 M
Installed size: 3.4 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.2 M
(1/2): strongswan-5.2.0-7.el6.x86_64.rpm | 923 kB 00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm | 277 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.9 MB/s | 1.2 MB 00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
Userid : EPEL (6) <
epel at fedoraproject.org
>
Package: epel-release-6-8.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : trousers-0.3.13-2.el6.x86_64 1/2
Installing : strongswan-5.2.0-7.el6.x86_64 2/2
Verifying : trousers-0.3.13-2.el6.x86_64 1/2
Verifying : strongswan-5.2.0-7.el6.x86_64 2/2
Installed:
strongswan.x86_64 0:5.2.0-7.el6
Dependency Installed:
trousers.x86_64 0:0.3.13-2.el6
Complete!
Finally, I saw Bug #737. Does this mean I must move to StrongSwan 5.2.2 to support Mac OS X split tunneling or has it been back ported to earlier releases? StrongSwan 5.2.2 look like is only available as RPM on Fedora Rawhide (of the RHEL/Centos distributions) so would need to build from sources for Centos 6? Is easy to support split tunneling using a third-party Mac OS X client instead of the native one?
Thanks for any help,
Ken
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150204/bb9dd037/attachment-0001.html>
More information about the Users
mailing list