[strongSwan] Need help with StrongSwan & Mac OS X split tunneling

Ken Nelson ken at cazena.com
Wed Feb 4 22:19:28 CET 2015

I was able to get split-tunneling to work for Mac OS X clients, although it was not very easy or straight-forward.  This mail documents the configuration in the event someone else might want to do this and asks the mailing list if there is a better way or if there are any down-sides of this configuration.  This configuration was pieced together by doing quite a bit of googling as the StrongSwan documentation in this area is terse (or I missed the Unity attribute documentation).

One downside to this configuration I read is that all connections would get the DNS server address and that is could be more flexibly assigned using rightdns in ipsec.conf on a per connection basis.  However, I did not see any way in ipsec.conf to set the DNS search domain along with the server address.

The “cisco_unity = yes” attribute was set in strongswan.d/charon.conf.

# strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
        attr {
            # Cisco Unity plugin attributes for IKEv1
            split-include =  # Send only traffic destined to leftsubnet to the tunnel interface
            split-exclude =     # Mac OS X client responsible for routing all non-tunnel traffic elsewhere
            dns =             # DNS server in leftsubnet
            28674 = xyz.internal          # UNITY_DEF_DOMAIN attribute to set DNS search domain

# Enable the Cisco Unity plugin by adding the following line
# in strongswan.d/charon.conf, if it is not already
#    cisco_unity = yes
include strongswan.d/*.conf

On Jan 26, 2015, at 4:39 PM, Ken Nelson <ken at cazena.com<mailto:ken at cazena.com>> wrote:


I’m trying to configure a Linux machine to act as an IPSec VPN gateway, with the first supported clients being Mac OS X road warriors.  I want to support split tunneling at the client as I only want traffic destined to certain subnets to be routed to the StrongSwan VPN GW.

The VPN GW software versions:
   StrongSwan:  5.2.0-7.el6
   Centos 6.6:  Linux 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Initial Mac OS X version supported is 10.10.

I read here that the Cisco Unity plugin is needed to support split tunneling for Mac OS X clients using IKEv1.

When I configure strongswan.conf like this:

-bash-4.1# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
        cisco_unity = yes

include strongswan.d/*.conf

Restart the service:

-bash-4.1# strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.2.0 IPsec [starter]...

I do NOT see unity in the list of plugins:

Jan 26 23:18:43 ip-10-8-64-4 charon: 00[LIB] loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp

When I connect to the VPN GW, it does NOT split tunnel.  What am I missing?  Is there some other library/RPM required?  I installed StrongSwan like this:

$ sudo yum install strongswan
Loaded plugins: fastestmirror, presto
Setting up Install Process
Loading mirror speeds from cached hostfile
 * epel:

centos                                                                                                                    | 3.7 kB     00:00
centos/primary_db                                                                                                         | 4.6 MB     00:00
Resolving Dependencies
--> Running transaction check
---> Package strongswan.x86_64 0:5.2.0-7.el6 will be installed
--> Processing Dependency: libtspi.so.1()(64bit) for package: strongswan-5.2.0-7.el6.x86_64
--> Running transaction check
---> Package trousers.x86_64 0:0.3.13-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                             Arch                            Version                               Repository                       Size
 strongswan                          x86_64                          5.2.0-7.el6                           epel                            923 k
Installing for dependencies:
 trousers                            x86_64                          0.3.13-2.el6                          centos                          277 k

Transaction Summary
Install       2 Package(s)

Total download size: 1.2 M
Installed size: 3.4 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
Processing delta metadata
Package(s) data still to download: 1.2 M
(1/2): strongswan-5.2.0-7.el6.x86_64.rpm                                                                                  | 923 kB     00:00
(2/2): trousers-0.3.13-2.el6.x86_64.rpm                                                                                   | 277 kB     00:00
Total                                                                                                            3.9 MB/s | 1.2 MB     00:00
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Retrieving key from

Importing GPG key 0x0608B895:
 Userid : EPEL (6) <
epel at fedoraproject.org
 Package: epel-release-6-8.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : trousers-0.3.13-2.el6.x86_64                                                                                                  1/2
  Installing : strongswan-5.2.0-7.el6.x86_64                                                                                                 2/2
  Verifying  : trousers-0.3.13-2.el6.x86_64                                                                                                  1/2
  Verifying  : strongswan-5.2.0-7.el6.x86_64                                                                                                 2/2

  strongswan.x86_64 0:5.2.0-7.el6

Dependency Installed:
  trousers.x86_64 0:0.3.13-2.el6


Finally, I saw Bug #737.  Does this mean I must move to StrongSwan 5.2.2 to support Mac OS X split tunneling or has it been back ported to earlier releases?  StrongSwan 5.2.2 look like is only available as RPM on Fedora Rawhide (of the RHEL/Centos distributions) so would need to build from sources for Centos 6?  Is easy to support split tunneling using a third-party Mac OS X client instead of the native one?

Thanks for any help,


Users mailing list
Users at lists.strongswan.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150204/bb9dd037/attachment-0001.html>

More information about the Users mailing list