<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix"><tt>Hello Tobias,</tt><tt><br>

      </tt><tt><br>

      </tt><tt>Thanks much for your response. </tt><tt><br>

      </tt><tt><br>

      </tt><tt>FYI, the ipsec config you provided doesn't work without a

        strongSwan config change. Setting right to 127.0.0.1 causes

        strongSwan</tt><tt><br>

      </tt><tt>to swap</tt><tt> left and right:</tt><tt><br>

      </tt><br>

      <tt><span style="font-size:11.0pt">> Jul 13 12:06:41 07[CFG]

          received stroke: add connection 'client-1-bypass'<o:p></o:p></span></tt><br>

      <tt>> ...</tt><tt><span style="font-size:11.0pt"><o:p></o:p></span></tt><tt>

      </tt><br>

      <tt><span style="font-size:11.0pt">> Jul 13 12:06:41 07[CFG]

          left is other host, swapping ends<o:p></o:p></span></tt><br>

      <tt>

      </tt><tt><span style="font-size:11.0pt">> Jul 13 12:06:41

          07[CFG] added configuration 'client-1-bypass'<br>

          <br>

          As a result, the bypass policies become inverted and they

          never match - all traffic goes over the non-bypassed SA.<br>

          <br>

          The simple solution is to set the following strongSwan config:<br>

          <br>

            charon.plugins.allow_swap = no<br>

          <br>

          I'm not sure if one would be expected to make such a change in

          order to get this bypass scenario to function,<br>

          but that's what worked for me.<br>

          <br>

          Regards.<br>

          <br>

          Plevin<br>

        </span></tt><tt></tt><tt></tt><tt><br>

      </tt><tt>On 7/12/2016 4:36 AM, Tobias Brunner wrote:</tt></div>

    <blockquote cite="mid:5784AC0E.7070508@strongswan.org" type="cite">

      <pre wrap="">Hi Plevin,

</pre>

      <blockquote type="cite">

        <blockquote type="cite">

          <pre wrap="">conn client-1-bypass

             left=192.168.0.1

             right=192.168.0.2

             rightsubnet=192.168.0.2[tcp/5001]

             leftfirewall=yes

             type=passthrough

             authby=secret

             auto=add

</pre>

        </blockquote>

      </blockquote>

      <pre wrap="">

You configured this like a regular connection (left|right specified,

leftfirewall=yes, authby=secret, auto=add).  So this might get

established like one.  Instead you should set at least right to

127.0.0.1 so it won't get used as responder, and configure the traffic

selectors via left|rightsubnet (e.g. leftsubnet=192.168.0.1/32,

rightsubnet=192.168.0.2/32[tcp/5001]).  leftfirewall=yes has no effect

here, so if you need firewall rules to allow that traffic you have to

install them yourself.  And to install the policies when the config is

loaded use auto=route.  Same on the other host:

</pre>

      <blockquote type="cite">

        <blockquote type="cite">

          <pre wrap="">conn server-bypass

             right=127.0.0.1

             leftsubnet=192.168.0.2/32[tcp/5001]

             rightsubnet=0.0.0.0/0

             type=passthrough

             auto=route

</pre>

        </blockquote>

      </blockquote>

      <pre wrap="">

Regards,

Tobias

</pre>

    </blockquote>

    <p><br>

    </p>

  </body>

</html>