Hello Andreas, Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path. The Cisco client tells me "Negotiating security policies" before it stops silently. On the other side, I don't see much in the pluto logs. Any ideas ?
kind regards, Claude On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote: > Hello Claude, > > yes it should be possible with the Cisco_Unity functionality added > to the attr-sql plugin with strongswan-4.4.1: > > - Enable the attr-sql and sqlite plugins > > ./configure ... --enable-sqlite --enable-attr-sql > > - Create an SQLite database: > > cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql | > sqlite3 /etc/ipsec.d/ipsec.db > > - Define the path to the database in strongswan.conf > > libhydra { > plugins { > attr-sql { > database = sqlite:///etc/ipsec.d/ipsec.db > } > } > } > > - Create a virtual IP pool in the database using the ipsec pool tool > > ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48 > > - Add internal DNS and WINS servers > > ipsec pool --addattr dns --server 10.1.0.10 > ipsec pool --addattr dns --server 10.1.1.10 > ipsec pool --addattr nbns --server 10.1.0.20 > ipsec pool --addattr nbns --server 10.1.1.20 > > - Add default domain > > ipsec pool --addattr unity_def_domain --string "strongswan.org" > > - Add welcome banner > > ipsec pool --addattr banner --string "The network will be down from > 6-8 pm" > > - Add split tunneling subnets !!! > > ipsec pool --addattr unity_split_include --subnet > "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0" > > - List all configured attributes > > ipsec pool --statusattr > > - Configure the pool in ipsec.conf > > conn rw-cisco > right=%any > rightsourceip=%mypool > leftsubnet=0.0.0.0/0 > > I haven't actually tested this with the Cisco VPN Client but it > should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24 > networks are tunneled. > > Regards > > Andreas > > On 21.10.2010 10:57, Claude Tompers wrote: > > Hello, > > > > Is it possible to do split tunneling with CISCO VPN client and pluto > > so that a road-warrior is still able to access i.e. printers in his > > local network ? > > > > kind regards Claude > > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users