IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6
September 01, 2012 at 10:08 AM | categories: Centos, Mac OS X, Howto, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View CommentsIntroduction
In my previous post i described how to setup an IPSEC VPN for use with Iphone, Ipad and Mac OSX IPSEC VPN clients.
This post describes how to enable split tunneling which is supported by the Mac OSX IPSEC client. Although split tunneling is considered insecure there are cases where it is ideal to run split tunnels.
The scenario for this post is that you are connected to a LAN (10.128.0.0/24) with internet access via a gateway on the LAN, you want to connect to a different network 192.168.1.0/24 which is only accessible via VPN, but you want to retain access to resources on the LAN while accessing the remote 192.168.1.0/24 network.
To follow this howto you need to have strongswan rpm with the attr-sql plugin enabled with a sqlite or mysql backed plugin enabled. The EPEL rpm does not support these features at the time of writing. You need to build your own custom strongswan rpm. You can download my spec file and use it to build yourself the rpm.
Installation
Install the rpm
rpm -Uvh strongswan-5.0.0-5.el6.x86_64.rpm
Configuration
Use the following configuration files, if you installation is new refer to my previous post on how to create the certificates
Create strongswan configuration
This strongswan configuration allows you to use both certificates and pre shared keys.
Add the username and password to /etc/strongswan/ipsec.secrets
andrew : XAUTH "5tr0ngp4ss0rd"
Add the preshared key to /etc/strongswan/ipsec.secrets
: PSK "very long pre shared key difficlult to guess"
Edit /etc/strongswan/ipsec.conf with the following content.
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
left=%defaultroute
leftsubnet=192.168.1.0/24
esp=aes256-sha256-modp2048,aes256-sha1!
ike=aes256-sha1-modp1536,aes256-sha512-modp1024,aes256-sha1-modp1024!
auto=add
conn rw-xauth
leftcert=vpn.example.org.pem
leftid=@vpn.example.org
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=pubkey
rightauth2=xauth
rightsourceip=%vpnclients
rekey=yes
conn rw-xauth-psk
leftfirewall=yes
leftauth=psk
right=%any
rightauth=psk
rightauth2=xauth
rightsourceip=%vpnclients
rekey=yes
Add the attr-sql plugin configuration to /etc/strongswan/strongswan.conf
libhydra {
plugins {
attr-sql {
database = sqlite:///var/lib/strongswan/ipsec.db
}
}
}
Restart the service
Restart the service for the configurations to take effect.
service strongswan restart
Create sql attr Database
Create a sqlite database to store the pool information.
wget http://bit.ly/PyMe08
cat sqlite.sql | sqlite3 /var/lib/strongswan/ipsec.db
Create a database based pool
The pool will store the address range, the split tunnel network (192.168.1.0/24), dns server to assign and a banner.
strongswan pool --add vpnclients --start 192.168.2.0 --end 192.168.2.254 --timeout 48
strongswan pool --addattr dns --server 192.168.1.1 --pool vpnclients
strongswan pool --addattr unity_def_domain --string "example.org" --pool vpnclients
strongswan pool --addattr banner --string "example.org - all activity is monitored" --pool vpnclients
strongswan pool --addattr unity_split_include --subnet "192.168.1.0/255.255.255.0" --pool vpnclients
Testing
Configure your Mac OSX VPN client.
- Launch System preferences then select Network > + > Interface > VPN > VPN Type > Cisco IPSEC > Create
Set the Fields
Description Strongswan-IPSEC
Server vpn.example.org
Account andrew
Password 5tr0ngp4ss0rd
Use Certificate ON
Certificate name.example.org
Now when you connect, you will remain connected to your LAN as well as the remote network 10.128.0.0/24 if you run netstat -rn you will see the 10.128.0.0/24 network being routed via the tunnel interface.
Related articles
blog comments powered by Disqus
About
I am a Sysadmin and programmer, passionate about Open source software A few notable projects i am associated with are:
Contact
topdog at fedoraproject.organdrew at topdog.za.net
Follow me on Twitter
Latest blog posts
Categories
- Book review (rss) (10)
- CCSP (rss) (1)
- Centos (rss) (16)
- Certification (rss) (1)
- Cisco (rss) (1)
- CouchDB (rss) (1)
- Cyrus (rss) (2)
- DHCP (rss) (2)
- DKIM (rss) (2)
- DLNA (rss) (2)
- DNS (rss) (2)
- Domainkeys (rss) (1)
- Email (rss) (11)
- Exim (rss) (7)
- Fedora (rss) (1)
- Horde (rss) (2)
- Howto (rss) (29)
- IPSEC (rss) (6)
- IPv6 (rss) (1)
- Kickstart (rss) (1)
- Links (rss) (2)
- Linux (rss) (25)
- Mac OS X (rss) (6)
- Markdown (rss) (1)
- Mediaplayer (rss) (2)
- PHP (rss) (1)
- PS3 (rss) (2)
- Postfix (rss) (6)
- Projects (rss) (1)
- PyMYSK (rss) (14)
- Python (rss) (19)
- RHEL (rss) (7)
- SSL (rss) (2)
- Security (rss) (13)
- Sysadmin (rss) (16)
- Tips (rss) (28)
- Ubuntu (rss) (2)
- Unix (rss) (4)
Archives
- February 2014 (1)
- December 2013 (1)
- September 2013 (1)
- March 2013 (1)
- February 2013 (2)
- January 2013 (4)
- November 2012 (3)
- October 2012 (2)
- September 2012 (5)
- August 2012 (7)
- July 2012 (1)
- June 2012 (2)
- May 2012 (9)
- April 2012 (17)
- March 2012 (4)
- August 2010 (1)
- March 2009 (4)
- January 2009 (2)
- August 2008 (1)
- June 2008 (1)
- March 2008 (1)
- February 2008 (2)
- January 2008 (1)
