Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1386
Views
0
Helpful
9
Replies

Split Tunnel from Mac

Go to solution
GregHains
Level 1
Level 1

‎07-17-2023 02:44 PM

Good morning,

First up, I am not 100% sure if I am in the right board, so if this message needs to be moved, please let me know or move it as required.
I am looking to setup a split tunnel from my Mac (Ventura 13.4.1) and one of the VPN options in this OS is Cisco IPsec.  I have no Cisco equipment at all - the site I am connecting to is a shop of mine that has a Netgear v7610 and one of the VPN options on this device is to use the Cisco client to connect. Unfortunately there is no option on the Mac end to enable split tunnelling. I posted my message to Apple and a helpful person pointed me here.
 If it is possible, does anybody know how I can set it up please?

Many thanks in advance,
Greg

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to GregHains

‎07-17-2023 04:51 PM - last edited on ‎07-17-2023 10:45 PM by Community Manager

 Basically you should add a route for the VPN traffic and another one for the internet.

I believe it would be something like

sudo route -n add -net 10.0.0.0/8(use the network you need to access)    x.x.x.x(Netgear ip address)

sudo route -n add -net 0.0.0.0/0  <internet gateway>

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Flavio Miranda
VIP
VIP

‎07-17-2023 03:05 PM

Hi @GregHains 

 Split tunnel is done on the vpn concentrador side amd not on the client side. The netgear must be able to do split tunnel on this case.

0 Helpful

Go to solution
GregHains
Level 1
Level 1
In response to Flavio Miranda

‎07-17-2023 03:53 PM

Hi Flavio.  

Thankyou for replying.
On my Mac (client side), I have the option (with other VPN types) to enable tunnelling, so I thought in this case it would be my end.  Maybe I explained it incorrectly, because I want to direct traffic destined for 192.168.16.x through the VPN - the rest of the traffic is to go out through my local router to the Internet.
Cheers,
Greg

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to GregHains

‎07-17-2023 04:11 PM

This is indeed split tunnel but, if when you connect to the VPN the Netgear send you a default route tunneling all your traffic to the VPN tunnel, there´s nothing you can do.  The Netgear must provide you a conditional traffic tunneling with split tunnel  which is sending you a route for the traffic you want to send to the VPN traffic and leave a default route on your machine sending everything else to the local internet.

  When you stablish the VPN tunnel, the VPN client take control of your network connection inclusing the routing table of your machine.

 

 

0 Helpful

Go to solution
GregHains
Level 1
Level 1
In response to Flavio Miranda

‎07-17-2023 04:16 PM - last edited on ‎07-17-2023 10:06 PM by Community Manager

Hi Flavio,

So

perhaps

the limitation here is the Netgear (host end) rather than my end?
I was thinking that the splitting occurred at my end, where my Mac would detect the networks I was working with, and it would setup a route to either the VPN interface or the local network for everything else.
Is there nothing I can do in terms of

adding a route

through terminal to achieve this?  The Netgear only needs to deal with what it is sent, and I'd like the Mac to handle everything else here as it normally would.
Thanks,
Greg 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to GregHains

‎07-17-2023 04:33 PM

No, this is not a limitation, this is a feature. Actually I dont know how Netgear works and I am using the expirience from Cisco firewall. But, they probably works the same way.

  You can actually add route but as soon as you disconnect and connect to the VPN the client VPN will take control of the configuration again and all your routes will be gone.

0 Helpful

Go to solution
GregHains
Level 1
Level 1
In response to Flavio Miranda

‎07-17-2023 04:41 PM - last edited on ‎07-17-2023 10:05 PM by Community Manager

Hi Flavio,

I knew this was more of an MacOS question than Cisco, but I thought there may have been a way to configure the Cisco client to handle the tunnelling.  I know that the security provided by having no tunnelling is a feature rather than a limitation, but given this is a basic setup, I am aware of the potential risks by split tunnelling.
I have identified the interface (utun5) when I am connected, and I have done a

route add

command, and I am OK with having to run a script each time I connect. The command is accepted and it looks OK - but it doesn't work as expected. 

Perhaps

I'm not using the command quite the right way.

Greg

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to GregHains

‎07-17-2023 04:51 PM - last edited on ‎07-17-2023 10:45 PM by Community Manager

 Basically you should add a route for the VPN traffic and another one for the internet.

I believe it would be something like

sudo route -n add -net 10.0.0.0/8(use the network you need to access)    x.x.x.x(Netgear ip address)

sudo route -n add -net 0.0.0.0/0  <internet gateway>

0 Helpful

Go to solution
GregHains
Level 1
Level 1

‎07-17-2023 08:40 PM

Hi Flavio.

That worked thankyou very much - works just as I wanted it to. 
I really appreciate it.

Greg

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to GregHains

‎07-17-2023 10:51 PM

Hi Greg

 Glad to hear it worked.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card