Thanks to ipfire v158 it’s easier than ever to allow macOS and iOS devices to connect via IPSec directly, no third-party app required.
It works great on macOS Catalina 10.15.7 & Big Sur 11.5.2 for IpSec Roadwarrior & Certifcate but I’ve to set “Local Subnet” to “0.0.0.0/0” to have access to the office’s local DNS or else the DNS names will not resolve (even if setting DNS Server manually).
Sadly all traffic routes through the IPSec VPN which is not desired if you have a lot of connected IPSec connections…so Split Tunneling would be the solution to allow connection to the office’s network but other traffic routed via the home’s router.
Here are the commands for split tunneling for Cisco IPSec on macOS but doesn’t seem to work for me:
(192.168.64 is the office’s network / 192.168.178.1 is my home router “fritzbox”)
Thanks but checking /etc/ipsec.conf the value of leftsubnet is: leftsubnet=0.0.0.0/0 (that’s the value from Local Subnet in the WebUI.
and setting it to: leftsubnet=192.168.64.0/24
doesn’t resolve the internal office’s DNS even if DNS Serveris set to 192.168.64.1 (office’s ipfire firewall)…
and if you put something like this in /etc/ipsec.user.conf?
conn mac
leftsendcert=always
leftallowany=yes
rightdns=192.168.64.1
rekey=no
reauth=no
where “mac” is the name I gave when creating the certificate of the client (you change it to yours), and the only entry of interest for your problem is “rightdns”. This entry should just push the DNS setting to the clients, in case this is why they are not using your VPN office DNS.
Unfortunately this doesn’t work either (my connection name is MyConfig)…still everything is routed through the VPN, even if I set leftsubnet=192.168.64.0/24 but then I no DNS-names resolve).
Does Split-Tunneling work for you ?
Sorry I was thinking about /etc/resolv.conf on your ipfire-firewall and yes a rule on green is set for DNS.
The DNS is not passed to the client when I narrow the “Local Subnet” to our office’s LAN 192.168.64.0/24 (when setting to 0.0.0.0/0 DNS works but then all traffic is routed through the VPN).
Read the manual, the way I understood how this works would be something like this: if you have a local DNS in 192.168.64.1 a local domain called “localdomain” and 3 computers in your local domain, host1, 2 and 3, the entry would be:
any other query not included in the array of “SupplementalMatchDomains” should be resolved by the system default DNS server, according to the documentation.
After reading the PDF I’ve added the keys ServerAddresses, SearchDomains and SupplementalMatchDomains right after AuthPassword but still no split-tunneling, but found a manual solution, see below:
#ping mailsrv.myoffice.local
PING mailsrv.myoffice.local (192.168.64.102): 56 data bytes
64 bytes from 192.168.64.102: icmp_seq=0 ttl=63 time=3.451 ms
64 bytes from 192.168.64.102: icmp_seq=1 ttl=63 time=3.005 ms
SOLVED! macOS Split-Tunneling works now ! tested on macOS Big Sur 11.5.2
No need to edit the Profile file, just edit /etc/strongswan.d/charon/attr.conf…read on:
Just edit /etc/strongswan.d/charon/attr.conf for Split-Tunneling on macOS (and iOS too) and add the line:
25 = myoffice.local
Of course change myoffice.local to your internal DNS name.
So /etc/strongswan.d/charon/attr.conf looks like:
# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {
# Add the following for IPSec split-tunnel
# See https://www.frakkingsweet.com/strongswan-ikev2-split-dns-and-ios/
#
25 = myoffice.local
# <attr> is an attribute name or an integer, values can be an IP address,
# subnet or arbitrary value.
# <attr> =
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
I also narrowed the Local Subnet to 192.168.64.0/24 instead of 0.0.0.0/0 in IPSec WebUI > edit Connection.
Then restart ipsec: #ipsec restart
Finally IPSec Split-Tunneling should work! Hope this helps others…
It would be great to have this option in the IPSec WebUI…