Issue #635
problem use split tunnel with iOS
Description
Here is the issue, I want use iOS as client and let some specific ip not go through vpn tunnel.
After read the doc on the wiki, http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
I know on iOS we only can use attr.(iOS raccoon do not support ikev2)
So I changed strongswan.conf like this:
cisco_unity = yes
plugins {
attr {
split-include = 0.0.0.0/0
split-exclude = 17.0.0.0/8, 183.57.84.84/24
}
}
but the connection can not make since I use 0.0.0.0, if leave it blank or delete split-include, the access to ip in split-exclude will be blocked instead of go through LAN.
It's weird and I dig two days in google but find no answer.
History
#1 Updated by richard hu about 11 years ago
seems the format not good to read full last sentence post again:
but the connection can not make since I use 0.0.0.0, if leave it blank or delete split-include, the access to ip in split-exclude will be blocked instead of go through LAN.
It's weird and I dig two days in google but find no answer.
#2 Updated by Tobias Brunner about 11 years ago
- Description updated (diff)
- Category changed from libcharon to interoperability
- Status changed from New to Feedback
- Priority changed from High to Normal
I know on iOS we only can use attr.(iOS raccoon do not support ikev2)
For split-include you can also use the unity plugin and define a list of subnets in leftsubnet.
but the connection can not make since I use 0.0.0.0, if leave it blank or delete split-include, the access to ip in split-exclude will be blocked instead of go through LAN.
Well, strongSwan can really only send the attributes to the client and hope it does the right thing with them. If iOS does not you should probably complain to Apple about it.
#3 Updated by richard hu about 11 years ago
Tobias Brunner wrote:
I know on iOS we only can use attr.(iOS raccoon do not support ikev2)
For split-include you can also use the unity plugin and define a list of subnets in leftsubnet.
but the connection can not make since I use 0.0.0.0, if leave it blank or delete split-include, the access to ip in split-exclude will be blocked instead of go through LAN.
Well, strongSwan can really only send the attributes to the client and hope it does the right thing with them. If iOS does not you should probably complain to Apple about it.
I change the leftsubnet in ipsec.conf, also do not work. all the traffic still go through vpn.
Besides complain Apple, no other way to workaround this?
#4 Updated by Tobias Brunner about 11 years ago
Besides complain Apple, no other way to workaround this?
Perhaps it works if you define all subnets except those you don't want to tunnel in leftsubnet (or split-include), and don't configure split-exclude at all.
For example, excluding 17.0.0.0/8 and 183.57.84.0/24 from 0.0.0.0/0 would look like this:
leftsubnet=0.0.0.0/4,16.0.0.0/8,18.0.0.0/7,20.0.0.0/6,24.0.0.0/5,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/4,176.0.0.0/6,180.0.0.0/7,182.0.0.0/8,183.0.0.0/11,183.32.0.0/12,183.48.0.0/13,183.56.0.0/16,183.57.0.0/18,183.57.64.0/20,183.57.80.0/22,183.57.85.0/24,183.57.86.0/23,183.57.88.0/21,183.57.96.0/19,183.57.128.0/17,183.58.0.0/15,183.60.0.0/14,183.64.0.0/10,183.128.0.0/9,184.0.0.0/5,192.0.0.0/2#5 Updated by Tobias Brunner about 10 years ago
- Status changed from Feedback to Closed
- Resolution set to No feedback