Routing all traffic except a few IP-ranges though default gateway in Mountain Lion

3

1

I am using VPN (Cisco IPSec) through the default Mountain Lion network preferences. In Lion (and also i Snow Leopard), I did the following to change the routing back to using my default gateway for all traffic, and the set up a few routes for the specific IP-ranges that needed to go through VPN:

# Route traffic through VPN:
route -nv add -net IPRANGE -interface utun0
#...more lines for the different IP-ranges that should go through VPN)

# Route all other traffic through the old default gateway:
route change default DEFAULT-GATEWAY-IP

This seems to not work under Mountain Lion. The (new implementation?) of Cisco IPSec seems to dynamically add a lot of routes to the routing table as I visit them in the browser.

I have debugged this a lot (pinging, traceroute'ing), but still haven't found a solution.

The basic problem I'm trying to solve is just to route traffic for specific IP-ranges through VPN, everything else should act as I am not connected to VPN. Any other solution that achieves that will be fine with me =)

Espen Herseth Halvorsen

Posted 2012-07-26T08:59:45.943

Reputation: 793

"This seems not to work" isn't a very good description of the problem. What exactly goes wrong? – David Schwartz – 2012-07-26T09:58:07.930

As I said, there seems to be added new (and more specific) routes for every domain I visit. This wasn't the case in Lion/Snow Leopard. This means that this method of changing the default route won't work, as there will be created new and more specific routes for every IP/domain I visit, and these takes over the default route. – Espen Herseth Halvorsen – 2012-07-26T10:11:07.960

are you using the built in ipsec client? Do you have send all traffic over the vpn checked ? By default anything should use the routing tables, make sure your default is set to where you think it should be and you don't have any more specific routes such as (0.0.0.0/1 and 128.0.0.0/1) – Doon – 2012-07-27T19:54:54.613

Yes, I'm using the built in Cisco IPSec. The option to send traffic on/not on the VPN connection is not present... – Espen Herseth Halvorsen – 2012-07-30T08:48:21.870

Answers

2

If you specify in the VPN preference panel (System Preferences, VPN item, Advanced) that you do NOT want all traffic routed through the VPN, then after connecting to the VPN, none of your routes will be altered. Then, to get routes just for the specific things you need that are on the inside of the VPN, you need to create this file:

/etc/ppp/ip-up

containing

#!/bin/bash
/sbin/route add -net 10.10.10 -interface ppp0

where "10.10.10" corresponds to the subnet of where you are inside. The above works when I want to get into the 10.10.10/24 network, whose subnet is 255.255.255.0. If the subnet was 255.255.0.0, I would substitute "10.10" instead.

When you made the file, set its permissions so it will run after the VPN connects:

chmod 755 /etc/ppp/ip-up

I don't know what to tell you if you have multiple VPNs that you need to connect to, each with different routes that need to be added. But this works for just 1 VPN.

Allen

Posted 2012-07-26T08:59:45.943

Reputation: 41

3This seems like the perfect solution, the only problem is that I don't have the option to specify that I don't want traffic routed through the VPN connection in the Advanced preferences. This option is not present on a Cisco IPSec VPN connection. – Espen Herseth Halvorsen – 2012-07-30T08:45:03.713

And to clarify: This option IS present on VPN-connections of the "L2TP over IPSec" and "PPTP" types, but not on "Cisco IPSec". :( – Espen Herseth Halvorsen – 2012-07-30T08:47:07.707

Asked: 2012-07-26T08:59:45.943

Viewed: 5 613 times

Active: 2013-07-25T19:42:26.150