macosNetworkvpn
On OS X 10.11 (El Capitan), with the Cisco Built-in VPN client, I would like to configure the route table in order to have the following thing :
Is there a way to configure it with some tricky route add|change|delete commands?
Moreover is there a way to run this commands every time I connect to the VPN.
I guess not all VPN connections of the build-in VPN client in Mac have that option.
The PPTP and L2TP do offer the option: Open your network settings:
Select your VPN connection and click on the advanced button.
A new window will pop up with three check-boxes under the heading "Session options". The last one of these checkboxes is the one you want: "redirect all traffic over VPN".
However, like you said. The advanced button does not pop up with Cisco IPSec.
I found this thread (https://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn) that maybe could be an answer to your problem (if you use it to route the whole ip range):
Any one know how to hack the routing table (on a mac) to defeat the forcing of VPN routing for every thing over a cisco VPN? pretty much what I want to do is have only 10.121.* and 10.122.* addresses over the VPN and everything else straight to the internet.
The following works for me. Run these after connecting to the cisco vpn. (I'm using OS X's built-in cisco client, not the Cisco branded client.)
sudo route -nv add -net 10 -interface utun0
sudo route change default 192.168.0.1
Replace "10" in the first command with the network that's on the other side of the tunnel.
Replace "192.168.0.1" with your local network's gateway.
I put it into a bash script, like this:
$ cat vpn.sh
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "Run this as root"
exit 1
fi
route -nv add -net 10 -interface utun0
route change default 192.168.0.1
I also found an explanation on how to run this automatically when you connect the VPN, but it's late on Friday and I don't feel like trying it :)
https://gist.github.com/675916
Edit:
I have since left the job where I was using the Cisco VPN, so this is from memory.
The "10" in the first command is the network that you want to route over the VPN. "10" is short hand for "10.0.0.0/8". In Tuan Anh Tran's case, it looks like the network is "192.168.5.0/24".
As for which gateway to specify in the second command, it should be your local gateway. When you log into a VPN that prevents split-tunneling, it is enforcing that policy by changing your routing tables so that all packets are routed on the virtual interface. So you want to change your default route back to what it was prior to getting on the VPN.
The easiest way to figure out the gateway is to run netstat -rn before logging into the VPN, and look at the IP address to the right of the "default" destination. For example, here's what it looks like on my box right now:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.1.1 UGSc 29 0 en1
10.0.1/24 link#5 UCS 3 0 en1
10.0.1.1 0:1e:52:xx:xx:xx UHLWIi 55 520896 en1 481
10.0.1.51 7c:c5:37:xx:xx:xx UHLWIi 0 1083 en1 350
10.0.1.52 127.0.0.1 UHS 0 0 lo0
My gateway is 10.0.1.1 -- it is to the right of the "default" destination.
Yup when using the VPN everything goes through your VPN.
Best Answer
For the first part (how to split traffic), I had the solution with the two following code lines