User profile for user: GauthierD
GauthierD Author
User level: Level 1
0 points

Built in VPN with Cisco IOS IPsec: not working due to 2 default routes

Hello,


I'm trying to establish a full tunneling VPN (not split tunneling) between the built in VPN Mac client and a router Cisco IOS 871.


I think my config on the Cisco router is ok because with a client like VPN tracker, all is working.


With the built in client, after the session is launched and well established, I got 2 default routes, so the traffic is not well routed.


To give you more details, the result of "netstat -nr -f inet" at differents steps:

- Before launching the vpn:

Routing tables

Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.8.254 UGSc 10 3 en1

127 127.0.0.1 UCS 0 0 lo0

127.0.0.1 127.0.0.1 UH 1 236 lo0

169.254 link#4 UCS 0 0 en1

192.168.8 link#4 UCS 2 0 en1

192.168.8.38 127.0.0.1 UHS 0 1 lo0

192.168.8.254 0:24:d4:5c:5a:c UHLWIi 11 1829 en1 1199

192.168.8.255 ff:ff:ff:ff:ff:ff UHLWbI 0 34 en1


- when the vpn session is established with Mac built-in client:

Routing tables

Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.8.254 UGSc 8 0 en1

default utun0 UCSI 0 0 utun0

10.0.128.206 10.0.128.206 UH 0 0 utun0

127 127.0.0.1 UCS 0 18 lo0

127.0.0.1 127.0.0.1 UH 1 11652 lo0

169.254 link#4 UCS 0 0 en1

178.23.33.193 192.168.8.254 UGHS 0 0 en1

192.168.8 link#4 UCS 3 0 en1

192.168.8.38 127.0.0.1 UHS 1 1 lo0

192.168.8.254 0:24:d4:5c:5a:c UHLWIi 16 2716 en1 1195

192.168.8.255 ff:ff:ff:ff:ff:ff UHLWbI 0 2 en1


- when the vpn session is established with VPN tracker client:

Routing tables

Internet:

Destination Gateway Flags Refs Use Netif Expire

default gif0 UGSc 10 5 gif0

127 127.0.0.1 UCS 0 18 lo0

127.0.0.1 127.0.0.1 UH 1 11656 lo0

127.1.2.3 10.0.128.206 UH 0 0 gif0

169.254 link#4 UCS 0 0 en1

178.23.33.193 192.168.8.254 UGHS 2 0 en1

192.168.8 link#4 UCS 2 0 en1

192.168.8.38 127.0.0.1 UHS 0 1 lo0

192.168.8.254 0:24:d4:5c:5a:c UHLWIi 1 2769 en1 1199

192.168.8.255 ff:ff:ff:ff:ff:ff UHLWbI 0 30 en1


I tried to check on logs, the only point I found is this one, during establishment of VPN session with built-in client:

Aug 26 23:18:32 TRI-MAC-GD configd[16]: IPSec Network Configuration: SPLIT-INCLUDE.

Aug 26 23:18:32 TRI-MAC-GD configd[16]: host_gateway: write routing socket failed, command 2, No such process

Aug 26 23:18:32 TRI-MAC-GD configd[16]: cannot write on routing socket: File exists (address 0.0.0.0, gateway 10.0.128.206)


Do you have any idea about this issue?

Thank you,

Regards,

Gauthier

MacBook Pro, Mac OS X (10.7.1)

Posted on Aug 28, 2011 9:31 AM

Reply
4 replies
User profile for user: spaquet
spaquet
User level: Level 1
10 points

Aug 28, 2011 9:47 AM in response to GauthierD

Have you try the follwing commands:


sudo route delete default (run it twice just to make sure it deletes both default routes)

sudo route get default (just to make sure there is no more default)

sudo route add -net default IP_GATEWAY 0

sud route get default (to check that default is properly setup)


This will not fixe the root cause of this issue but at least remove one of the 2 default as you can only have one default route setup at once.

Reply
User profile for user: GauthierD
GauthierD Author
User level: Level 1
0 points

Sep 24, 2011 12:05 AM in response to spaquet

Hi,


Sorry for the long long time to answer. Thank you very much for having taken time to answer.


I did what you do but didn't resolve the problem.


I will describe step by step the tests I did.


I was connected to the VPN and get the IP 10.0.128.204 (my local ip was 192.168.1.98)

I displayed the routes. We can see there are 2 default routes.


8:54 gauthier@TRI-MAC-GD ~% netstat -nr -f inet

Routing tables


Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.1.1 UGSc 8 2 en1

default utun0 UCSI 0 0 utun0

10.0.128.204 10.0.128.204 UH 1 1 utun0

127 127.0.0.1 UCS 0 34 lo0

127.0.0.1 127.0.0.1 UH 1 7988 lo0

169.254 link#4 UCS 0 0 en1

78.2.33.193 192.168.1.1 UGHS 0 0 en1

192.168.1 link#4 UCS 3 0 en1

192.168.1.1 0:1f:9f:34:70:b2 UHLWIi 19 453 en1 1148

192.168.1.198 127.0.0.1 UHS 0 0 lo0

192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en1


I deleted successfully the default route.


8:54 gauthier@TRI-MAC-GD ~% sudo route delete default

delete net default


As you wrote, I tried a second time but it seemed there was no more default route.

8:54 gauthier@TRI-MAC-GD ~% sudo route delete default

route: writing to routing socket: not in table

delete net default: not in table


But there is still the default route with the tun0..


8:54 gauthier@TRI-MAC-GD ~% netstat -nr -f inet

Routing tables


Internet:

Destination Gateway Flags Refs Use Netif Expire

default utun0 UCSI 0 0 utun0

10.0.128.204 10.0.128.204 UH 2 2 utun0

127 127.0.0.1 UCS 0 34 lo0

127.0.0.1 127.0.0.1 UH 1 7989 lo0

169.254 link#4 UCS 0 0 en1

78.2.33.193 192.168.1.1 UGHS 2 0 en1

192.168.1 link#4 UCS 2 0 en1

192.168.1.1 0:1f:9f:34:70:b2 UHLWIi 11 454 en1 1193

192.168.1.198 127.0.0.1 UHS 0 0 lo0

192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 4 en1


I tried to ping an ip in my remote network but no success.


8:54 gauthier@TRI-MAC-GD ~% ping 10.0.128.254

PING 10.0.128.254 (10.0.128.254): 56 data bytes

ping: sendto: No route to host

--- 10.0.128.254 ping statistics ---

1 packets transmitted, 0 packets received, 100.0% packet loss

zsh: exit 2 ping 10.0.128.254


8:54 gauthier@TRI-MAC-GD ~% sudo route get default

route: writing to routing socket: not in table


I tried to add the gateway of my local network.


8:55 gauthier@TRI-MAC-GD ~% sudo route add -net default 192.168.1.1 0

add net default: gateway 192.168.1.1

8:55 gauthier@TRI-MAC-GD ~% sudo route get default

route to: default

destination: default

mask: default

gateway: livebox-70b0

interface: en1

flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>

recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire

0 0 0 0 0 0 1500 0

8:55 gauthier@TRI-MAC-GD ~% ping 10.0.128.254

PING 10.0.128.254 (10.0.128.254): 56 data bytes

Request timeout for icmp_seq 0

^C

--- 10.0.128.254 ping statistics ---

2 packets transmitted, 0 packets received, 100.0% packet loss

zsh: exit 2 ping 10.0.128.254

8:55 gauthier@TRI-MAC-GD ~% netstat -nr -f inet

Routing tables


Internet:

Destination Gateway Flags Refs Use Netif Expire

default 192.168.1.1 UGSc 1 2 en1

default utun0 UCSI 0 0 utun0

10.0.128.204 10.0.128.204 UH 2 4 utun0

127 127.0.0.1 UCS 0 34 lo0

127.0.0.1 127.0.0.1 UH 1 7991 lo0

169.254 link#4 UCS 0 0 en1

78.2.33.193 192.168.1.1 UGHS 3 3 en1

192.168.1 link#4 UCS 2 0 en1

192.168.1.1 0:1f:9f:34:70:b2 UHLWIi 13 456 en1 1170

192.168.1.198 127.0.0.1 UHS 0 0 lo0

192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en1


So it seems the mac os native vpn client has really serious problem with a full routing vpn based on ipsec.


Any idea?


Regards

Gauthier

Reply
User profile for user: carnator
carnator
User level: Level 1
0 points

Dec 2, 2013 11:43 AM in response to GauthierD

I had this same issue and it dogged me for days. I could connect to the VPN, but not the hosts behind the VPN. I was able to ping and reach the hosts after I followed these instructions: http://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to -a-cisco-vpn


Basically, you have to manually add the routes of the VPN IPs to the utun0 gateway.



sudo route -nv add -net 10 -interface utun0
sudo route change default 192.168.0.1
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Built in VPN with Cisco IOS IPsec: not working due to 2 default routes

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up