[strongSwan] routing all traffic through tunnel without local one

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Thu Mar 11 13:04:30 CET 2010

Peter Winterer wrote:
> Hi Daniel,
> Am 08.03.2010 10:02, schrieb Daniel Mentz:
>> Matthias Dahl wrote:
>>>> To tunnel all internet traffic, you'll need a rightsubnet.
>>>> This however, includes your local network in the tunnel too.
>>> One could consider this a bug. Most people certainly never will want 
>>> their
>>> local traffic routed outside of their local network. The more I think 
>>> about
>>> it, this could even have security implications. The default should be 
>>> to have
>>> the local lan by-passed unless the user explicitely states otherwise.
>> One might also argue that the current behavior is more secure: Imagine a
>> road warrior being in a hotel room, connecting her laptop to the hotel's
>> LAN in order to get Internet access. She probably does not care about
>> other hosts on the local subnet. She just wants to have access to the
>> corporate network via IPsec.
>> Now, imagine that the hotel's LAN uses the same IP address space as some
>> resource on the corporate network. The traffic would then be sent to the
>> incorrect machine on the local subnet of the hotel that happens to have
>> the same IP address, instead of the machine on the corporate network.
> I think you are right. However, what about dhcp traffic in the local
> network? A client could not renew his ip address, because the dhcp
> traffic on the local dhcp-server would also be blocked. I'm not sure, 
> but I think with a linux client this would break the connection and 
> therefore the ipsec-tunnel.

Hi Peter,

that is indeed an interesting question. I guess one of the following is 

1. DHCP fails as you suspect.

2. The dhcp-client uses raw sockets to send/receive IP packets. Maybe 
ipsec policies do not apply to IP packets sent via raw sockets.

3. The dhcp-client sets a "per socket policy" of type 
IPSEC_POLICY_BYPASS. As a consequence, IP packets which are sent or 
received on that socket are not subject to IPsec processing. If you can 
read German, take a look at http://mirror.roe.ch/doc/hsr/sa-natt.pdf and 
search for "Per socket policy". This document has some good information 
about this socket option.


More information about the Users mailing list