The Importance of Accessible-Subnets in IPsec VPN Profiles: Controlling Traffic Routing and DNS
Behavior of IPsec VPN on macOS and iPhone when considering accessible subnets:
- macOS:
- macOS prioritizes subnets received via IPsec configuration over the prefix list in the Secure Access module.
- iPhone:
- The iPhone honors only the routes that are received as part of the IPsec configuration, without considering any additional routing information from the Secure Access module.
Scenario 1: Full Tunnel
When the accessible subnets are set to 0.0.0.0/0, both macOS and iPhone will treat the connection as a full tunnel. There is no way to overwrite the routes based on the flags received from the Secure Access module. Below is a sample configuration that ensures both macOS and iPhone operate as a full tunnel. This setup will route all traffic through the VPN tunnel for both devices.
versasupport@xxx-xxxx-cli(config)% show orgs org-services <org Name> ipsec vpn-profile vpn-profile ACME { vpn-type remote-access-server; ipsec { address-pools { address-range 172.16.220.1-172.16.220.254; netmask 255.255.255.0; accessible-subnets 0.0.0.0/0; ####### This is the config which makes the tunnel as full tunnel dns 30 { nameserver [ 172.16.10.11 172.16.10.12 ]; domain [ google.com ]; } } remote-auth-type eap; default-ras true; ras-id xxxx; remote-auth-eap-type mschap-v2; hardware-accelerator any; }
--------------------------------------------------------------------
Scenario 2: Split Tunnel
In order to implement a split tunnel, we must avoid setting accessible-subnets to 0.0.0.0/0. Instead, we configure specific subnets to route traffic through the VPN, allowing other traffic to go directly through the local network. Below is a sample configuration for a split tunnel setup on both macOS and iPhone:
versasupport@xxx-xxxx-cli(config)% show orgs org-services <org Name> ipsec vpn-profile vpn-profile ACME { vpn-type remote-access-server; ipsec { address-pools { address-range 172.16.220.1-172.16.220.254; netmask 255.255.255.0; accessible-subnets 10.0.0.0/8 dns 30 { nameserver [ 8.8.8.8 8.8.4.4 ]; domain [ google.com ]; } } remote-auth-type eap; default-ras true; ras-id xxxxx; remote-auth-eap-type mschap-v2; hardware-accelerator any; }
This configuration routes traffic destined for the specified subnets (e.g., 10.0.0.0/24) through the VPN, while all other traffic is handled by the local network.
For split tunneling, it's essential to avoid using 0.0.0.0/0 as the accessible-subnets value, as that would enforce a full tunnel setup.
--------------------------------------------------------------------
Scenario 3: Split DNS
When we configure a domain name under IPsec, both macOS and iPhone will honor and use the specified DNS server for resolving all Fully Qualified Domain Names (FQDN) under that domain. If needed, we can configure more than one domain to ensure that the DNS server is used for multiple domains
ipsec { address-pools { address-range 172.16.220.1-172.16.220.254; netmask 255.255.255.0; accessible-subnets 10.0.0.0/8; dns 30 { nameserver [ 8.8.8.8 8.8.4.4 ]; domain [ google.com ];
In this example:
- The DNS server 8.8.8.8 8.8.4.4 will be used for resolving FQDNs under the google.com domains.
- All other domains will use the device’s default DNS settings.
This setup allows us to utilize split DNS functionality, ensuring that domain-specific traffic is routed correctly through the VPN, while other traffic resolves via the local DNS.
--------------------------------------------------------------------
Scenario 4: Full DNS
For Full DNS configuration, where all DNS requests are directed to a specific server, use the following configuration. This ensures that all DNS queries are sent to the provided server (e.g., 8.8.8.8 8.8.4.4).
ipsec { address-pools { address-range 172.16.220.1-172.16.220.254; netmask 255.255.255.0; accessible-subnets 10.0.0.0/8; dns 30 { nameserver [ 8.8.8.8 8.8.4.4];