[strongSwan] Bypassing traffic to local LAN
Jiehan Zheng
zheng at jiehan.org
Sat Aug 10 15:50:53 CEST 2013
Hi Tianjie,
Thanks for your response. Here is my server side config (with irrelevant
sections and directives removed):
config setup
uniqueids=never
conn %default
eap_identity=%identity
left=%defaultroute
leftsubnet=0.0.0.0/0
rightsourceip=%radius,10.0.0.0/24,10.0.1.0/24
conn win7
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
leftauth=pubkey
leftcert=...
leftid=@...
rightauth=eap-radius
rightsendcert=never
auto=add
And here is my local config:
config setup
uniqueids=never
conn win7
type=passthrough
dpdaction=restart
closeaction=restart
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
right=...
rightauth=pubkey
rightca=jiehanVpnCa.crt
rightsubnet=0.0.0.0/0
leftsourceip=%config
leftauth=eap-mschapv2
eap_identity=...
auto=start
I am connecting from my local LAN 192.168.11.0/24, and I do have an address
on that subnet on my wlp3s0 interface:
2: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
qlen 1000
link/ether 8c:70:5a:80:1e:78 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.172/24 brd 192.168.11.255 scope global wlp3s0
valid_lft forever preferred_lft forever
inet 10.0.0.14/32 scope global wlp3s0
valid_lft forever preferred_lft forever
inet6 fe80::8e70:5aff:fe80:1e78/64 scope link
valid_lft forever preferred_lft forever
And here are the policies automatically installed:
src 0.0.0.0/0 dst 10.0.0.14/32
dir fwd priority 1923
tmpl src (MY_SERVER_IP) dst 192.168.11.172
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 10.0.0.14/32
dir in priority 1923
tmpl src (MY_SERVER_IP) dst 192.168.11.172
proto esp reqid 1 mode tunnel
src 10.0.0.14/32 dst 0.0.0.0/0
dir out priority 1923
tmpl src 192.168.11.172 dst (MY_SERVER_IP)
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
Thanks,
Jiehan
Jiehan
On Sat, Aug 10, 2013 at 9:40 PM, Tianjie Mao <tjmao at tjmao.net> wrote:
> Hi Jiehan,
>
> Could you please list your current configuration on both sides? I have
> been using charon and it does not seem to cause unwanted traffic to be
> forwarded to the remote site.
>
> If that is a "local LAN" prefix, it should bypass the policy without a
> problem.
>
> If that is a prefix that needs to be forwarded by one or more routers,
> does adding a more-specific route work for you?
>
> Regards,
> Tianjie Mao
> On Aug 10, 2013 9:12 PM, "Jiehan Zheng" <zheng at jiehan.org> wrote:
>
>> Hi,
>>
>> I am using strongSwan 5.1.0 and my connection is using IKEv2. The
>> rightsubnet on my machine and leftsubnet on the server are both 0.0.0.0/0,
>> causing all the traffic, including local LAN traffic from being sent
>> through IPsec. I am looking for a way to exempt local traffic from being
>> sent to the server. I've read through this thread:
>> https://lists.strongswan.org/pipermail/users/2010-March/004614.html
>>
>> However, it's been three years so I am wondering if there is a better
>> way, now with version 5.1.0 and charon, to achieve this?
>>
>> Thanks,
>>
>> Jiehan
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130810/68684aef/attachment.html>
More information about the Users
mailing list