<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><tt>Hello Tobias,</tt><tt><br>
</tt><tt><br>
</tt><tt>Thanks much for your response. </tt><tt><br>
</tt><tt><br>
</tt><tt>FYI, the ipsec config you provided doesn't work without a
strongSwan config change. Setting right to 127.0.0.1 causes
strongSwan</tt><tt><br>
</tt><tt>to swap</tt><tt> left and right:</tt><tt><br>
</tt><br>
<tt><span style="font-size:11.0pt">> Jul 13 12:06:41 07[CFG]
received stroke: add connection 'client-1-bypass'<o:p></o:p></span></tt><br>
<tt>> ...</tt><tt><span style="font-size:11.0pt"><o:p></o:p></span></tt><tt>
</tt><br>
<tt><span style="font-size:11.0pt">> Jul 13 12:06:41 07[CFG]
left is other host, swapping ends<o:p></o:p></span></tt><br>
<tt>
</tt><tt><span style="font-size:11.0pt">> Jul 13 12:06:41
07[CFG] added configuration 'client-1-bypass'<br>
<br>
As a result, the bypass policies become inverted and they
never match - all traffic goes over the non-bypassed SA.<br>
<br>
The simple solution is to set the following strongSwan config:<br>
<br>
charon.plugins.allow_swap = no<br>
<br>
I'm not sure if one would be expected to make such a change in
order to get this bypass scenario to function,<br>
but that's what worked for me.<br>
<br>
Regards.<br>
<br>
Plevin<br>
</span></tt><tt></tt><tt></tt><tt><br>
</tt><tt>On 7/12/2016 4:36 AM, Tobias Brunner wrote:</tt></div>
<blockquote cite="mid:5784AC0E.7070508@strongswan.org" type="cite">
<pre wrap="">Hi Plevin,
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">conn client-1-bypass
left=192.168.0.1
right=192.168.0.2
rightsubnet=192.168.0.2[tcp/5001]
leftfirewall=yes
type=passthrough
authby=secret
auto=add
</pre>
</blockquote>
</blockquote>
<pre wrap="">
You configured this like a regular connection (left|right specified,
leftfirewall=yes, authby=secret, auto=add). So this might get
established like one. Instead you should set at least right to
127.0.0.1 so it won't get used as responder, and configure the traffic
selectors via left|rightsubnet (e.g. leftsubnet=192.168.0.1/32,
rightsubnet=192.168.0.2/32[tcp/5001]). leftfirewall=yes has no effect
here, so if you need firewall rules to allow that traffic you have to
install them yourself. And to install the policies when the config is
loaded use auto=route. Same on the other host:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">conn server-bypass
right=127.0.0.1
leftsubnet=192.168.0.2/32[tcp/5001]
rightsubnet=0.0.0.0/0
type=passthrough
auto=route
</pre>
</blockquote>
</blockquote>
<pre wrap="">
Regards,
Tobias
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>