[strongSwan] swanctl and bypass/shunt policies

Noel Kuntze noel at familie-kuntze.de
Tue Aug 19 20:13:45 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Volker,

Nice, thank you!

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 19.08.2014 um 17:19 schrieb Volker Rümelin:
>
>> Did anyone already write a bypass/shunt policy with swanctl?
>> If so, I'd like to see one as an example.
>>
>>
> Hi Noel,
>
> # ip xfrm pol
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket out priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket out priority 0 ptype main
> src ::/0 dst ::/0
>         socket in priority 0 ptype main
> src ::/0 dst ::/0
>         socket out priority 0 ptype main
> src ::/0 dst ::/0
>         socket in priority 0 ptype main
> src ::/0 dst ::/0
>         socket out priority 0 ptype main
> # cat /etc/swanctl/swanctl.conf
> connections {
>     swanctl-home-online-ipv6 {
>         local {
>         }
>         children {
>             sho-ipv6 {
>                 mode = pass
>                 local_ts = 212.x.x.x/32[ipv6]
>                 remote_ts = 87.y.y.y/32[ipv6]
>             }
>         }
>     }
> }
> # swanctl -c
> loaded connection 'swanctl-home-online-ipv6'
> successfully loaded 1 connections, 0 unloaded
> # swanctl --install -c sho-ipv6
> install completed successfully
> # ip xfrm pol
> src 87.y.y.y/32 dst 212.x.x.x/32 proto ipv6
>         dir fwd priority 1282 ptype main
> src 87.y.y.y/32 dst 212.x.x.x/32 proto ipv6
>         dir in priority 1282 ptype main
> src 212.x.x.x/32 dst 87.y.y.y/32 proto ipv6
>         dir out priority 1282 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket out priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket in priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
>         socket out priority 0 ptype main
> src ::/0 dst ::/0
>         socket in priority 0 ptype main
> src ::/0 dst ::/0
>         socket out priority 0 ptype main
> src ::/0 dst ::/0
>         socket in priority 0 ptype main
> src ::/0 dst ::/0
>         socket out priority 0 ptype main
>
> Sorry, I used the wrong email account in my first email.
>
> Regards,
> Volker
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT85PZAAoJEDg5KY9j7GZYDcUQAJWRUnPyXSByGyxA6MOkaeh9
NNfSGd+qeZ5CKJapQRapOeZCpIj0QxAwQO3KvxY8br5pDm2qDq320Jiv+4OK3Axf
k7KdopicHtMuT1U7g3tWdBJDI5ATWxKxTFv7IOLp4h09BKx+tXoad3LlFDAuYon6
LVRROGVdcRvtl2kk1fTVkOQogrEdb/JY6klKsNAUdVb2v0KvM7NkFXsTDAW2v/6l
duhwsesB6TWXem69rn0cyHS57RnBldeKdMm21yhVQCzE3fh5ROAm/uI8gzB+muXL
Rnt25HG1DmutWiVy8C47secVJfSz02pXJLtLh8rHvyMroVlalsATqtBciGjUrug4
v1Ulq7zD7lags5onLGnwXxVG6ANiqV4Re6hzekVITNBsASC7OwHyqXnuAhzWds88
wfptpRfj5eSwCuYSB6IfyGFXT4uuS0gcbZHcmaaj8cvvvrygyu33r+k5VHVgDbaU
pu3kz6Kv8MTcHu5/DJvZY75qAaadbF4TDUV9NxBH9rOVGxxq8llWsJDbqnQsZ7tG
nEAYooQIBCLsha7tg1WkqrFpgJFEmi/wemH1KWRVFijN5oGC0lfD2zkfnQgM+dvd
uiJT+LTZuFco+cIiBj2JPEC5hbSNJtR9GStQtNcZHMpMaptQip/yT7HzucuNs+pN
kOQ/XCUWREgwenQlkwVL
=KOFl
-----END PGP SIGNATURE-----



More information about the Users mailing list