IPSec on macOS and split tunneling

cgil · 18 August 2021 07:47

Hi,

Thanks to ipfire v158 it’s easier than ever to allow macOS and iOS devices to connect via IPSec directly, no third-party app required.

It works great on macOS Catalina 10.15.7 & Big Sur 11.5.2 for IpSec Roadwarrior & Certifcate but I’ve to set “Local Subnet” to “0.0.0.0/0” to have access to the office’s local DNS or else the DNS names will not resolve (even if setting DNS Server manually).

Sadly all traffic routes through the IPSec VPN which is not desired if you have a lot of connected IPSec connections…so Split Tunneling would be the solution to allow connection to the office’s network but other traffic routed via the home’s router.

Here are the commands for split tunneling for Cisco IPSec on macOS but doesn’t seem to work for me:
(192.168.64 is the office’s network / 192.168.178.1 is my home router “fritzbox”)

sudo route -nv add -net 192.168.64 -interface ipsec0
sudo route change default 192.168.178.1

A better solution would of course to have Split Tunneling directly on ipfire IPSec configuration…at least a Cisco Unity plugin existed for Strongswan long time ago: [strongSwan] Need help with StrongSwan & Mac OS X split tunneling

Or any other suggestion how to implement Split Tunneling via /etc/ipsec.user.conf ?

thanks

cfusco · 18 August 2021 08:09

reading https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling, maybe it should be:

leftsubnet=192.168.64.0/24

What do you think?

cgil · 18 August 2021 08:59

Thanks but checking /etc/ipsec.conf the value of leftsubnet is:
leftsubnet=0.0.0.0/0 (that’s the value from Local Subnet in the WebUI.
and setting it to:
leftsubnet=192.168.64.0/24
doesn’t resolve the internal office’s DNS even if DNS Serveris set to 192.168.64.1 (office’s ipfire firewall)…

cfusco · 18 August 2021 09:44

and if you put something like this in /etc/ipsec.user.conf?

conn mac
       	leftsendcert=always
       	leftallowany=yes
       	rightdns=192.168.64.1 
       	rekey=no
       	reauth=no

where “mac” is the name I gave when creating the certificate of the client (you change it to yours), and the only entry of interest for your problem is “rightdns”. This entry should just push the DNS setting to the clients, in case this is why they are not using your VPN office DNS.

cgil · 18 August 2021 11:24

Unfortunately this doesn’t work either (my connection name is MyConfig)…still everything is routed through the VPN, even if I set leftsubnet=192.168.64.0/24 but then I no DNS-names resolve).
Does Split-Tunneling work for you ?

What do you have in /etc/resolv.conf ?

cfusco · 18 August 2021 11:43

Do you have a rule in the firewall to allow the green network to access the DNS (I imagine yes since you have problems only with a split tunnel)?

Is the DNS not passed to the client or is the client ignoring the entry when you have a split tunnel?

I do not use split tunnels. I will try when I find a bit of time and report here.

As expected, but as I said, I do not have a split tunnel.

Hasbeen-MBP:~ cfusco$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : localdomain
  nameserver[0] : 10.1.1.1
  if_index : 12 (ipsec0)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)
[...]

cfusco · 18 August 2021 12:36

How about this?

https://www.frakkingsweet.com/strongswan-ikev2-split-dns-and-ios/

Also this one, which is really old, but it goes in the same direction.

https://serverfault.com/questions/521536/strongswan-cant-push-dns-resolver-to-osx-mountain-lion-split-tunnel

Maybe this problem is old but has never been fixed by apple?

cgil · 18 August 2021 12:45

Sorry I was thinking about /etc/resolv.conf on your ipfire-firewall and yes a rule on green is set for DNS.

The DNS is not passed to the client when I narrow the “Local Subnet” to our office’s LAN 192.168.64.0/24 (when setting to 0.0.0.0/0 DNS works but then all traffic is routed through the VPN).

Tried also to bypass lan…taken from Strongswan’s mailing list:
https://lists.strongswan.org/pipermail/users/2015-January/007289.html

conn lanbypass
	leftsubnet=192.168.64.0/24
	rightsubnet=192.168.66.0/24
	rightdns=192.168.64.1
	type=passthrough
	auto=route

(here 192.168.66.0/24 is IPSec’s Host-to-Net Virtual Private Network)

but no luck yet…

cfusco · 18 August 2021 12:49

@cgil check the attr angle from my other message, where I posted those two links.

see also the official documentation: attr plugin - strongSwan

It looks like 28674 and 28675 are extensions only for IKEv1

cfusco · 18 August 2021 13:04

@cgil

I think I found the solution. You have to manually modify the file generated by IPFire for apple configurator, here how:

https://lists.strongswan.org/pipermail/users/2015-October/008842.html

This is the documentation manual for apple configurator xml syntax : https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

In particular DNS Dictionary Keys section, SupplementalMatchDomains, on how to control spilt DNS.

cgil · 18 August 2021 13:28

Thanks…so I need to edit the downloaded profile MyConnection.mobileconfig and add the following key:

<key>DNS</key>
<dict>
    <key>ServerAddresses</key>
    <array>
            <string>1.1.1.1</string>
            <string>2.2.2.2</string>
    </array>
    <key>SearchDomains</key>
    <array>
            <string>test2.com</string>
            <string>test3.com</string>
    </array>
    <key>SupplementalMatchDomains</key>
    <array>
            <string>test2.com</string>
            <string>test3.com</string>
    </array>
</dict>

but which values to set for 1.1.1.1 ? 192.168.64.1 maybe ?

cfusco · 18 August 2021 13:55

Read the manual, the way I understood how this works would be something like this: if you have a local DNS in 192.168.64.1 a local domain called “localdomain” and 3 computers in your local domain, host1, 2 and 3, the entry would be:

<key>DNS</key>
<dict>
    <key>ServerAddresses</key>
    <array>
            <string>192.168.64.1</string>
    </array>
    <key>SearchDomains</key>
    <array>
           <string>host1.localdomain</string>
           <string>host2.localdomain</string>
           <string>host3.localdomain</string>
    </array>
    <key>SupplementalMatchDomains</key>
    <array>
            <string>host1.localdomain</string>
            <string>host2.localdomain</string>
            <string>host3.localdomain</string>
    </array>
</dict>

any other query not included in the array of “SupplementalMatchDomains” should be resolved by the system default DNS server, according to the documentation.

cgil · 19 August 2021 13:00

After reading the PDF I’ve added the keys ServerAddresses, SearchDomains and SupplementalMatchDomains right after AuthPassword but still no split-tunneling, but found a manual solution, see below:

Added to the MyConnection.profile:

<string>MyConnection</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
...
<key>AuthPassword</key> 
<string></string>
<key>ServerAddresses</key>
<array>
<string>192.168.64.1</string>
</array>
<key>SupplementalMatchDomains</key>
<array>
<string>myoffice.local</string>
</array>

Trying to ping our mailserver fails:

#ping mailsrv.myoffice.local
ping: cannot resolve mailsrv.myoffice.local: Unknown host

However I’ve found out when using scutil it works:

#sudo scutil
> d.init
> d.add ServerAddresses * 192.168.64.1
> d.add SupplementalMatchDomains * myoffice.local
> set State:/Network/Service/aabbcc/DNS
> d.show
<dictionary> {
  ServerAddresses : <array> {
    0 : 192.168.64.1
  }
  SupplementalMatchDomains : <array> {
    0 : myoffice.local
  }
}
> quit

Pinging the mailsrv: success!

#ping mailsrv.myoffice.local
PING mailsrv.myoffice.local (192.168.64.102): 56 data bytes
64 bytes from 192.168.64.102: icmp_seq=0 ttl=63 time=3.451 ms
64 bytes from 192.168.64.102: icmp_seq=1 ttl=63 time=3.005 ms

Now remove DNS and ping fails:

sudo scutil
> remove State:/Network/Service/aabbcc/DNS
> quit

Pingin the mailsrv fails!

#ping mailsrv.myoffice.local
ping: cannot resolve mailsrv.myoffice.local: Unknown host

So I need to further investigate the .profile file…

cgil · 20 August 2021 09:11

SOLVED! macOS Split-Tunneling works now ! tested on macOS Big Sur 11.5.2
No need to edit the Profile file, just edit /etc/strongswan.d/charon/attr.conf…read on:

First I didn’t see the article of Frakkingsweet that @cfusco posted earlier:
https://www.frakkingsweet.com/strongswan-ikev2-split-dns-and-ios/

Just edit /etc/strongswan.d/charon/attr.conf for Split-Tunneling on macOS (and iOS too) and add the line:

25 = myoffice.local

Of course change myoffice.local to your internal DNS name.

So /etc/strongswan.d/charon/attr.conf looks like:

# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {
    # Add the following for IPSec split-tunnel
    # See https://www.frakkingsweet.com/strongswan-ikev2-split-dns-and-ios/
    #
    25 = myoffice.local

    # <attr> is an attribute name or an integer, values can be an IP address,
    # subnet or arbitrary value.
    # <attr> =

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes
}

I also narrowed the Local Subnet to 192.168.64.0/24 instead of 0.0.0.0/0 in IPSec WebUI > edit Connection.

Then restart ipsec:
#ipsec restart

Finally IPSec Split-Tunneling should work! Hope this helps others…
It would be great to have this option in the IPSec WebUI…

cgil · 23 August 2021 08:46

Note:
The attribute 25 = myoffice.local corresponds to the “INTERNAL_DNS_DOMAIN”, here:
IKEv2 Configuration Payload Attribute Types
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-21

cfusco · 24 August 2021 09:15

@cgil Congratulations. Excellent job.