[strongSwan] ipsec policy priority
Tobias Brunner
tobias at strongswan.org
Tue Oct 15 18:14:30 CEST 2013
Hi Max,
> As result have policy:
> >src 192.168.3.0/24 dst 192.168.5.0/24
> > dir out priority 1859
> > tmpl src 77.72.134.75 dst 195.96.165.70
> > proto esp reqid 16412 mode tunnel
> >src 192.168.3.0/24 dst 192.168.0.0/18
> > dir out priority 1859
> > tmpl src 77.xx.xx.xx dst 109.yy.yy.yy
> > proto esp reqid 16416 mode tunnel
Looks like you use an old strongSwan release (before 4.5.1), which does
not consider the destination subnet in the priority calculation. In
newer releases the priority of these policies should be quite different.
> trafic to local IP are forwarded in tunnel. I'm manualy add several
> policy for workaround:
> >src 192.168.3.0/24 dst 192.168.3.0/24
> > dir out priority 100
> >src 192.168.3.0/24 dst 192.168.3.0/24
> > dir fwd priority 100
> >src 192.168.3.0/24 dst 192.168.3.0/24
> > dir in priority 100
You could configure this with a type=passthrough config. But that might
require a newer release too. Something like the following works in
current releases:
conn lan
leftsubnet=192.168.3.0/24
rightsubnet=192.168.3.0/24
type=passthrough
auto=route
Regards,
Tobias
More information about the Users
mailing list