affordableCebu
Home » Questions » Computers [ Ask a new question ]

How to force split tunnel routing on Mac to a Cisco VPN

How to force split tunnel routing on Mac to a Cisco VPN

Any one know how to hack the routing table (on a mac) to defeat the forcing of VPN routing for every thing over a cisco VPN? pretty much what I want to do is have only 10.121.* and 10.122.* addresses over the VPN and everything else straight to the internet.

Asked by: Guest | Views: 458
Total answers/comments: 3
bert [Entry]

"The Python script in this previous answer was helpful, however, it didn't take care of the routes that AnyConnect used to take over other interfaces on the device (such as VMware interfaces). It also wasn't able to handle multiple VPN networks.

Here is the script I use:

#!/bin/bash

HOME_NETWORK=192.168
HOME_GATEWAY=192.168.210.1
WORK_NETWORKS=""X.X.X.X/12 10.0.0.0/8 X.X.X.X/16""

# What should the DNS servers be set to?
DNS_SERVERS=""10.192.2.45 10.216.2.51 8.8.8.8""

##
## Do not edit below this line if you do not know what you are doing.
##
function valid_ip()
{
local ip=$1
local stat=1

if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
&& ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}

# Nuke any DENY firewall rules
for RULE in `sudo ipfw list | grep deny | awk '{print $1}' | xargs`; do sudo ipfw delete $RULE; done

# Delete any routes for the home network that Anyconnect might have made
sudo route delete -net ${HOME_NETWORK}
sudo route add -net ${HOME_NETWORK} ${HOME_GATEWAY}

# Get the AnyConnect interface
ANYCONNECT_INTERFACE=`route get 0.0.0.0 | grep interface | awk '{print $2}'`

# Add the work routes
for NETWORK in ${WORK_NETWORKS}; do
sudo route -nv add -net ${NETWORK} -interface ${ANYCONNECT_INTERFACE}
done

# Set the default gateway
sudo route change default ${HOME_GATEWAY}

# Mass route changes
for NET in `netstat -nr | grep -e ^${HOME_NETWORK} | grep utun1 | awk '{print $1}' | xargs`; do
if valid_ip ${NET}; then
echo ""Changing route for network""
sudo route change ${NET} ${HOME_GATEWAY}
else
echo ""Changing route for host""
sudo route change -net ${NET} ${HOME_GATEWAY}
fi
done

# Set the nameservers
sudo scutil << EOF
open
d.init
d.add ServerAddresses * ${DNS_SERVERS}
set State:/Network/Service/com.cisco.anyconnect/DNS
quit
EOF"
bert [Entry]

You should be able to ask the administrator of the router you are connecting to to set up a separate "group" that does split tunneling and give you a PCF file that contains the group name and group password for that group.
You should be able to ask the administrator of the router you are connecting to to set up a separate "group" that does split tunneling and give you a PCF file that contains the group name and group password for that group.
bert [Entry]

"I had the same issue and got this working thanks to @mehaase

After creating the ~/vpn.sh as answered by @mehaase you can put this into a runnable application automator script using these steps:

Using Automator create a new Application
Add ""Run an AppleScript"" under Library > Utilities
Enter: do shell script ""sudo ~/vpn.sh"" with administrator privileges
Save

You may also need to run chmod 700 ~/vpn.sh from Terminal to give the script execute privileges.

After connecting to the VPN you can simply run this application script. Enter your admin password and click ok - Done. :)"