MacOS – Routing all traffic except a few IP-ranges though default gateway in Mountain Lion

macosNetworkvpn

I am using VPN (Cisco IPSec) through the default Mountain Lion network preferences. In Lion (and also in Snow Leopard), I did the following to change the routing back to using my default gateway for all traffic, and thne set up a few routes for the specific IP-ranges that needed to go through VPN:

# Route traffic through VPN:
route -nv add -net IPRANGE -interface utun0
#...more lines for the different IP-ranges that should go through VPN)

# Route all other traffic through the old default gateway:
route change default DEFAULT-GATEWAY-IP

This seems to not work under Mountain Lion. The (new implementation?) of Cisco IPSec seems to dynamically add a lot of routes to the routing table as I visit them in the browser.

I have debugged this a lot (pinging, traceroute'ing), but still haven't found a solution.

The basic problem I'm trying to solve is just to route traffic for specific IP-ranges through VPN, everything else should act as I am not connected to VPN. Any other solution that achieves that will be fine with me =)

Best Answer

If you configure your VPN server to allow split tunneling, this will work without any need to configuree your vpn client or the network on the Mac.

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

Split-tunneling is used in scenarios where only specific traffic must be tunneled, opposed to scenarios where all of the client machine-generated traffic flows across the VPN when connected. Use of the AnyConnect Configuration Wizard will by default result in a tunnel-all configuration on the ASA. Split tunnelling must be configured separately, which is explained in further detail in the Split Tunnel section of this document.

Related Solutions

MacOS – How to only route office traffic over the VPN while having default route for other traffic

This is how you route specific traffic over an interface sudo route add google.com en1 (en1 is the interface).

In order to find the interface use ifconfigcommand, run the command before and after connecting VPN and determine on which interface the VPN is running.

A similar question has a detailed answer.

MacOS – Where is the “Send all traffic over VPN connection” setting in OSX 10.9 Mavericks

I guess not all VPN connections of the build-in VPN client in Mac have that option.

The PPTP and L2TP do offer the option: Open your network settings:

enter image description here

Select your VPN connection and click on the advanced button.

A new window will pop up with three check-boxes under the heading "Session options". The last one of these checkboxes is the one you want: "redirect all traffic over VPN".

However, like you said. The advanced button does not pop up with Cisco IPSec.

I found this thread (https://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn) that maybe could be an answer to your problem (if you use it to route the whole ip range):

Any one know how to hack the routing table (on a mac) to defeat the forcing of VPN routing for every thing over a cisco VPN? pretty much what I want to do is have only 10.121.* and 10.122.* addresses over the VPN and everything else straight to the internet.

The following works for me. Run these after connecting to the cisco vpn. (I'm using OS X's built-in cisco client, not the Cisco branded client.)

sudo route -nv add -net 10 -interface utun0
sudo route change default 192.168.0.1

Replace "10" in the first command with the network that's on the other side of the tunnel.

Replace "192.168.0.1" with your local network's gateway.

I put it into a bash script, like this:

$ cat vpn.sh 
#!/bin/bash

if [[ $EUID -ne 0 ]]; then
    echo "Run this as root"
    exit 1
fi

route -nv add -net 10 -interface utun0
route change default 192.168.0.1

I also found an explanation on how to run this automatically when you connect the VPN, but it's late on Friday and I don't feel like trying it :)

https://gist.github.com/675916

Edit:

I have since left the job where I was using the Cisco VPN, so this is from memory.

The "10" in the first command is the network that you want to route over the VPN. "10" is short hand for "10.0.0.0/8". In Tuan Anh Tran's case, it looks like the network is "192.168.5.0/24".

As for which gateway to specify in the second command, it should be your local gateway. When you log into a VPN that prevents split-tunneling, it is enforcing that policy by changing your routing tables so that all packets are routed on the virtual interface. So you want to change your default route back to what it was prior to getting on the VPN.

The easiest way to figure out the gateway is to run netstat -rn before logging into the VPN, and look at the IP address to the right of the "default" destination. For example, here's what it looks like on my box right now:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            10.0.1.1           UGSc           29        0     en1
10.0.1/24          link#5             UCS             3        0     en1
10.0.1.1           0:1e:52:xx:xx:xx   UHLWIi         55   520896     en1    481
10.0.1.51          7c:c5:37:xx:xx:xx   UHLWIi          0     1083     en1    350
10.0.1.52          127.0.0.1          UHS             0        0     lo0

My gateway is 10.0.1.1 -- it is to the right of the "default" destination.

Best Answer

Related Solutions

MacOS – How to only route office traffic over the VPN while having default route for other traffic

MacOS – Where is the “Send all traffic over VPN connection” setting in OSX 10.9 Mavericks

Related Question