Client Routing table with Mobile Ipsec
-
Good day,
I've managed to configure mobile vpn with ipsec and I am able to connect to the vpn.
I'm using cisco vpn ipsec client.
At the moment i have to manually add a route to the LAN on the other side of the tunnel.
For example
route add -host 10.0.0.164 192.168.10.2When i execute the following command:
route -n get 10.0.0.100It seems that the route to 10.0.0.0/24 is still passing via the default gateway of the local wifi connection.
I've searched the internet and found examples where people create bash scripts to populate the routing table.
This is not ideal, any advice on how i can get the routes to populate automatically?
-
I found the reason why the routing was problematic.
My local network is on the network range 10.0.0.0/24.
I've created an account for a coworker, his local network range is 192.168.0.0/24.
He doesn't need to add routes and he can connect to any server on the other side of the tunnel.The virtual ip pool is set to 192.168.10.0/27. Which can be set VPN -> IPSec -> Mobile Clients -> Virtual Address Pool
I've made a workaround:
created a bash script:#!/bin/bash vpn_lanip=`netstat -rn|awk '/192.168.10/{print $2}'|head -1` if [[ $vpn_lanip != "" ]]; then route delete -net 10.0.0.0/24 $vpn_lanip route add -net 10.0.0.0/24 $vpn_lanip fiThen created a plist file:
/Library/LaunchDaemons/network.watcher.plist<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>network.watcher</string> <key>ProgramArguments</key> <array> <string>/bin/bash</string> <string>/Users/arno/routes.sh</string> </array> <key>WatchPaths</key> <array> <string>/Library/Preferences/SystemConfiguration</string> </array> </dict> </plist>Then activated the network watcher daemon, that performs actions if network changes are detected.
sudo launchctl load /Library/LaunchDaemons/network.watcher.plistThere is a slight delay for the route propagation of about 10 seconds, but it works for me.