Project

General

Profile

Bug #445

Updated by Tobias Brunner almost 7 years ago

Hello,

tried to check if UNITY_SPLIT_INCLUDE works, so I've setup small VPN server with the following config:

<pre>
conn Corp-VPN-RSA-XAuth
leftauth=pubkey
leftcert=10000000000000.pem
left=%any
leftsubnet=192.168.254.0/23
right=%any
rightauth=pubkey
rightauth2=xauth-eap
rightsourceip=192.168.254.16/28
rightdns=192.168.254.1
keyexchange=ikev1
ike=aes256-sha1-modp1536!
esp=aes256-sha1!
compress=yes
fragmentation=yes
auto=add
</pre>


I've tried to connect there by using both Cisco VPN client and ShrewSoft VPN client but both of them refused to use leftsubnet for split tunnelling and tried to use 0.0.0.0/0.

Logs from Cisco VPN client said that UNITY_SPLIT_INCLUDE attrs contained no data:

<pre>
283 09:43:13.960 11/15/13 Sev=Info/4 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data

284 09:43:13.960 11/15/13 Sev=Info/4 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data
</pre>



However Strongswan log claims that there was some data in that payload:

<pre>
Nov 15 09:43:21 13[IKE] assigning virtual IP 192.168.254.17 to peer 'st41ker'
Nov 15 09:43:21 13[CFG] sending UNITY_SPLIT_INCLUDE: 192.168.254.0/23
Nov 15 09:43:21 13[ENC] generating TRANSACTION response 2009454997 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
</pre>


I have no idea how to see what exactly was in the packet, so I've posted the issue here.

Back