Strongswan now supports Cisco unity extensions

November 07, 2012 at 07:40 AM | categories: Centos, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View Comments

I previously wrote about setting up split tunneling on Strongswan using the attr-sql plugin

With the release of Strongswan 5.0.1 it is no longer the only way to support split tunneling.

Strongswan 5.0.1 introduces the unity plugin which allows for the configuration of split tunneling either using a charon option or using the attr plugin which is enabled by default.

The unity plugin is not enabled by default to enable it you need to add the following to your ./configure options


Charon option

To enable this option you need to edit the strongswan.conf file and set

charon {
    # ... other options
    cisco_unity = yes

As a client strongswan will install policies only for the received Split-Include attributes and IPsec bypass policies for received Local-LAN attributes.

As a server strongswan will send Split-Include attributes for leftsubnet definitions containing multiple subnets to clients that support the IKEv1 Cisco Unity Extensions.

Attr plugin option

It is also possible to configure split tunneling using the attr plugin. Two new options have been added:

  • split-include - Comma-separated list of subnets to tunnel
  • split-exclude - Comma-separated list of subnets not to tunnel
charon {
    # ... other options
    split-include =,
    split-exclude =

Related articles

blog comments powered by Disqus