[strongSwan] swanctl and bypass/shunt policies
Volker Rümelin
vr_strongswan at t-online.de
Tue Aug 19 17:19:06 CEST 2014
> Did anyone already write a bypass/shunt policy with swanctl?
> If so, I'd like to see one as an example.
>
>
Hi Noel,
# ip xfrm pol
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
# cat /etc/swanctl/swanctl.conf
connections {
swanctl-home-online-ipv6 {
local {
}
children {
sho-ipv6 {
mode = pass
local_ts = 212.x.x.x/32[ipv6]
remote_ts = 87.y.y.y/32[ipv6]
}
}
}
}
# swanctl -c
loaded connection 'swanctl-home-online-ipv6'
successfully loaded 1 connections, 0 unloaded
# swanctl --install -c sho-ipv6
install completed successfully
# ip xfrm pol
src 87.y.y.y/32 dst 212.x.x.x/32 proto ipv6
dir fwd priority 1282 ptype main
src 87.y.y.y/32 dst 212.x.x.x/32 proto ipv6
dir in priority 1282 ptype main
src 212.x.x.x/32 dst 87.y.y.y/32 proto ipv6
dir out priority 1282 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
Sorry, I used the wrong email account in my first email.
Regards,
Volker
More information about the Users
mailing list