IPSEC split tunneling VPN with Mac OSX and Strongswan 5 on Centos/RHEL 6

September 01, 2012 at 10:08 AM | categories: Centos, Mac OS X, Howto, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View Comments

Introduction

In my previous post i described how to setup an IPSEC VPN for use with Iphone, Ipad and Mac OSX IPSEC VPN clients.

This post describes how to enable split tunneling which is supported by the Mac OSX IPSEC client. Although split tunneling is considered insecure there are cases where it is ideal to run split tunnels.

The scenario for this post is that you are connected to a LAN (10.128.0.0/24) with internet access via a gateway on the LAN, you want to connect to a different network 192.168.1.0/24 which is only accessible via VPN, but you want to retain access to resources on the LAN while accessing the remote 192.168.1.0/24 network.

To follow this howto you need to have strongswan rpm with the attr-sql plugin enabled with a sqlite or mysql backed plugin enabled. The EPEL rpm does not support these features at the time of writing. You need to build your own custom strongswan rpm. You can download my spec file and use it to build yourself the rpm.

Installation

Install the rpm

rpm -Uvh strongswan-5.0.0-5.el6.x86_64.rpm

Configuration

Use the following configuration files, if you installation is new refer to my previous post on how to create the certificates

Create strongswan configuration

This strongswan configuration allows you to use both certificates and pre shared keys.

Add the username and password to /etc/strongswan/ipsec.secrets

andrew : XAUTH "5tr0ngp4ss0rd"

Add the preshared key to /etc/strongswan/ipsec.secrets

: PSK "very long pre shared key difficlult to guess"

Edit /etc/strongswan/ipsec.conf with the following content.

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        esp=aes256-sha256-modp2048,aes256-sha1!
        ike=aes256-sha1-modp1536,aes256-sha512-modp1024,aes256-sha1-modp1024!
        auto=add

conn rw-xauth
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightauth=pubkey
        rightauth2=xauth
        rightsourceip=%vpnclients
        rekey=yes

conn rw-xauth-psk
        leftfirewall=yes
        leftauth=psk
        right=%any
        rightauth=psk
        rightauth2=xauth
        rightsourceip=%vpnclients
        rekey=yes

Add the attr-sql plugin configuration to /etc/strongswan/strongswan.conf

libhydra {
        plugins {
                attr-sql {
                        database = sqlite:///var/lib/strongswan/ipsec.db
                }
        }
}

Restart the service

Restart the service for the configurations to take effect.

service strongswan restart

Create sql attr Database

Create a sqlite database to store the pool information.

wget http://bit.ly/PyMe08
cat sqlite.sql | sqlite3 /var/lib/strongswan/ipsec.db

Create a database based pool

The pool will store the address range, the split tunnel network (192.168.1.0/24), dns server to assign and a banner.

strongswan pool --add vpnclients --start 192.168.2.0 --end 192.168.2.254 --timeout 48
strongswan pool --addattr dns --server 192.168.1.1 --pool vpnclients
strongswan pool --addattr unity_def_domain --string "example.org" --pool vpnclients
strongswan pool --addattr banner --string "example.org - all activity is monitored" --pool vpnclients
strongswan pool --addattr unity_split_include --subnet "192.168.1.0/255.255.255.0" --pool vpnclients

Testing

Configure your Mac OSX VPN client.

  • Launch System preferences then select Network > + > Interface > VPN > VPN Type > Cisco IPSEC > Create

Set the Fields

Description      Strongswan-IPSEC
Server           vpn.example.org
Account          andrew
Password         5tr0ngp4ss0rd
Use Certificate  ON
Certificate      name.example.org

Now when you connect, you will remain connected to your LAN as well as the remote network 10.128.0.0/24 if you run netstat -rn you will see the 10.128.0.0/24 network being routed via the tunnel interface.

Related articles


blog comments powered by Disqus