[strongSwan] routing all traffic through tunnel without local one
Matthias Dahl
ml-strongswan at binary-island.eu
Mon Mar 8 09:31:35 CET 2010
Hi...
On Monday 08 March 2010 08:35:25 you wrote:
> To tunnel all internet traffic, you'll need a 0.0.0.0/0 rightsubnet.
> This however, includes your local network in the tunnel too.
One could consider this a bug. Most people certainly never will want their
local traffic routed outside of their local network. The more I think about
it, this could even have security implications. The default should be to have
the local lan by-passed unless the user explicitely states otherwise.
> To explicitly bypass the local network traffic, you'll need an
> additional bypass policy. The IKEv1 daemon pluto supports such bypass
> policies using type=passthrough, the IKEv2 daemon does currently not.
> But you can use the "ip xfrm" command to install a static bypass rule
> for local traffic.
I have absolutely _no_ idea what happened but things work just fine now. The
same server is/was running an OpenVPN tunnel and I did so many tests on the
server and on my local machine (some of them while having an openvpn tunnel
established) that maybe some of them interacted. After a reboot of the server
and my local machine, I can tunnel my internet traffic just fine if I want to
and all my local net traffic stays on my lan. I restarted both several times
to see if it was just luck/timing but the results are stable.
Those policies get installed by the way:
src 0.0.0.0/0 dst 172.31.25.1/32 uid 0
dir fwd action allow index 498 priority 2000 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-03-08 09:22:59 use -
tmpl src SERVER_IP dst 192.168.2.132
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 172.31.25.1/32 uid 0
dir in action allow index 488 priority 2000 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-03-08 09:22:59 use -
tmpl src SERVERIP dst 192.168.2.132
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.31.25.1/32 dst 0.0.0.0/0 uid 0
dir out action allow index 481 priority 1680 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-03-08 09:22:59 use -
tmpl src 192.168.2.132 dst SERVERIP
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
And those are the routes:
192.168.2.0/24 dev br0 scope link metric 5
127.0.0.0/8 via 127.0.0.1 dev lo
default via 192.168.2.1 dev br0 proto static src 172.31.25.1
default via 192.168.2.1 dev br0 metric 5
Like I said, I have no idea whatsoever but it works now. Since I am new to
IPsec and related xfrm policies in general, could you make an example for
future reference what such a by-pass policy would look like?
Thanks again...
So long,
matthias
More information about the Users
mailing list