Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Chrizzldi
Chrizzldi Author
User level: Level 1
5 points

How to get VPN split tunneling with built in VPN Client and Cisco IPsec protocol?

I recently tried to connect to my business local network using Cisco IPsec VPN.

Connection established and everything worked like it should be.


What i needed and couldn't find is a solution to split tunnel my connection. That means

i want to be connected to my business network but use my own internet connection for

all every other connection.


Assume my companies IP address range is 192.168.188/24 and the network i am currently in (local home) is 192.168.178/24.


I want to reach 192.168.188/24 via VPN - wich works.

I want to reach the outside world via my local home connection - does not work.


Remember earlier versions of OS X had these options built in when you click on "Advanced..." you could chose to split tunnel the connection. These options seem to be gone.


Any solution to this problem?


Regards,

Chris

MacBook Pro with Touch Bar

Posted on Jan 23, 2019 1:40 AM

Reply
Question marked as Best reply
User profile for user: Chrizzldi
Chrizzldi Author
User level: Level 1
5 points

Posted on Jan 23, 2019 1:53 AM

After looking doing some research i figured out to solve this problem. It needs some hard-coding though and might not ne suitable for everyone!


MacOS Mojave uses the standard unix networking services. That means you can manipulate the route table of your network to achieve split tunneling. Therefor it is necessary run two commands:


route -nv add -net 192.168.188 -interface utun1
route change default 192.168.178.1


The first command adds a new entry to the route table that does the following:

"Hey Network, if you want to reach any address in the range 192.168.188.0 to 192.168.188.255 then you have to use the configured interface utun1."

Here utun1 is my VPN Tunnel to the business network. To figure out what your interface is named you can use the command: 'ifconfig' via terminal.

The second command changes a entry in the route table:

"Hey Network, if you want to reach any address you DO NOT have a special entry in your table, then use 192.168.178.1 to go there."

Here default stands for 'any address not in your list' and 192.168.178.1 is my local home router who has his own DNS addresses configured and will be able to resolve any address i am looking for expect the ones directly specified in my route table.


Information:

I tried to keep this as understandable as possible. Feel free to ask, but i am not sure if i ll be around that often. All in all this is working for me. I am not using the connection to often so i can easily use these two commands when it comes to my need. If you have another easier solution i am happy to hear about it!

View in context

Similar questions

3 replies
Question marked as Best reply
User profile for user: Chrizzldi
Chrizzldi Author
User level: Level 1
5 points

Jan 23, 2019 1:53 AM in response to Chrizzldi

After looking doing some research i figured out to solve this problem. It needs some hard-coding though and might not ne suitable for everyone!


MacOS Mojave uses the standard unix networking services. That means you can manipulate the route table of your network to achieve split tunneling. Therefor it is necessary run two commands:


route -nv add -net 192.168.188 -interface utun1
route change default 192.168.178.1


The first command adds a new entry to the route table that does the following:

"Hey Network, if you want to reach any address in the range 192.168.188.0 to 192.168.188.255 then you have to use the configured interface utun1."

Here utun1 is my VPN Tunnel to the business network. To figure out what your interface is named you can use the command: 'ifconfig' via terminal.

The second command changes a entry in the route table:

"Hey Network, if you want to reach any address you DO NOT have a special entry in your table, then use 192.168.178.1 to go there."

Here default stands for 'any address not in your list' and 192.168.178.1 is my local home router who has his own DNS addresses configured and will be able to resolve any address i am looking for expect the ones directly specified in my route table.


Information:

I tried to keep this as understandable as possible. Feel free to ask, but i am not sure if i ll be around that often. All in all this is working for me. I am not using the connection to often so i can easily use these two commands when it comes to my need. If you have another easier solution i am happy to hear about it!

Reply
User profile for user: Chrizzldi
Chrizzldi Author
User level: Level 1
5 points

Jan 23, 2019 6:37 AM in response to John Lockwood

Thanks for your opinion John. I agree with your assumption. But i do not agree with the policy to not make it easily available via GUI. The VPN Configured Network has no option and is not able to control wether i just use the VPN connection for the internal Network only, or for internet access too. It is totally up to me - or at least i think it should be - how i use my routing if i am physically not connected via my business network only.


The workaround is working beautifully, it is just sad that it might not be that convenient for people with lesser network and terminal knowledge.

Reply

How to get VPN split tunneling with built in VPN Client and Cisco IPsec protocol?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up