[strongSwan] Bypass policies have too low priority
Noel Kuntze
noel at familie-kuntze.de
Wed Aug 20 22:59:50 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello list,
I use bypass policies and just found out that strongSwan installs those with a lower priority than the tunnel policies.
So bypass policies don't actually work some times.
In this particular case, if I change the TS of a connection from 192.168.178.0/24 172.16.20.0/24 == <censored>/32 172.16.21.0/24
to 192.168.178.0/24 172.16.20.0/24 == 0.0.0.0/0,
all packets leave through the tunnel, although the bypass policies should prevent that.
Regards,
Noel Kuntze
E.g.:
# swanctl -P
vserver, TUNNEL
local: 192.168.178.0/24 172.16.20.0/24
remote: <censored>/32 172.16.21.0/24
lan-shunt, PASS
local: 192.168.178.0/24
remote: 192.168.178.0/24
lan-broadcast-bypass, PASS
local: 192.168.178.255/32
remote: 0.0.0.0/0
vms-bypass, PASS
local: 0.0.0.0/0
remote: 192.168.122.0/24
# ip xfrm policy
src 172.16.20.1/32 dst 192.168.178.48/32
dir fwd priority 2819
tmpl src 192.168.178.43 dst 192.168.178.48
proto esp reqid 8 mode tunnel
src 172.16.20.1/32 dst 192.168.178.48/32
dir in priority 2819
tmpl src 192.168.178.43 dst 192.168.178.48
proto esp reqid 8 mode tunnel
src 192.168.178.48/32 dst 172.16.20.1/32
dir out priority 2819
tmpl src 192.168.178.48 dst 192.168.178.43
proto esp reqid 8 mode tunnel
src 192.168.178.6/32 dst 192.168.178.48/32
dir fwd priority 2819
tmpl src 192.168.178.6 dst 192.168.178.48
proto esp reqid 11 mode tunnel
src 192.168.178.6/32 dst 192.168.178.48/32
dir in priority 2819
tmpl src 192.168.178.6 dst 192.168.178.48
proto esp reqid 11 mode tunnel
src 192.168.178.48/32 dst 192.168.178.6/32
dir out priority 2819
tmpl src 192.168.178.48 dst 192.168.178.6
proto esp reqid 11 mode tunnel
src 172.16.21.0/24 dst 172.16.20.0/24
dir fwd priority 2883
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src 172.16.21.0/24 dst 172.16.20.0/24
dir in priority 2883
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src 172.16.20.0/24 dst 172.16.21.0/24
dir out priority 2883
tmpl src 192.168.178.48 dst <censored>
proto esp reqid 9 mode tunnel
src <censored>/32 dst 172.16.20.0/24
dir fwd priority 2851
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src <censored>/32 dst 172.16.20.0/24
dir in priority 2851
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src 172.16.20.0/24 dst <censored>/32
dir out priority 2851
tmpl src 192.168.178.48 dst <censored>
proto esp reqid 9 mode tunnel
src 172.16.21.0/24 dst 192.168.178.0/24
dir fwd priority 2883
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src 172.16.21.0/24 dst 192.168.178.0/24
dir in priority 2883
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src 192.168.178.0/24 dst 172.16.21.0/24
dir out priority 2883
tmpl src 192.168.178.48 dst <censored>
proto esp reqid 9 mode tunnel
src <censored>/32 dst 192.168.178.0/24
dir fwd priority 2851
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src <censored>/32 dst 192.168.178.0/24
dir in priority 2851
tmpl src <censored> dst 192.168.178.48
proto esp reqid 9 mode tunnel
src 192.168.178.0/24 dst <censored>/32
dir out priority 2851
tmpl src 192.168.178.48 dst <censored>
proto esp reqid 9 mode tunnel
src 192.168.122.0/24 dst 0.0.0.0/0
dir fwd priority 1443
src 192.168.122.0/24 dst 0.0.0.0/0
dir fwd priority 1443
src 0.0.0.0/0 dst 192.168.122.0/24
dir out priority 1443
src 0.0.0.0/0 dst 192.168.178.255/32
dir fwd priority 1411
src 0.0.0.0/0 dst 192.168.178.255/32
dir in priority 1411
src 192.168.178.255/32 dst 0.0.0.0/0
dir out priority 1411
src 192.168.178.0/24 dst 192.168.178.0/24
dir fwd priority 1347
src 192.168.178.0/24 dst 192.168.178.0/24
dir in priority 1347
src 192.168.178.0/24 dst 192.168.178.0/24
dir out priority 1347
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
- --
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJT9QxGAAoJEDg5KY9j7GZYKpgP/3446Vt4YGrBXOCo0pc2nHbI
HPmQu8nAamkCcmMIcBhIX+soESO6PVGp5kWtfYgyzowBpngpKuAGyYVVUsrmYmR6
1jAD+gFn/bBlmHPmXBCZbUwQva9FRa6mm2aLRVdyG0MojzIMrsTdtQZ0nv1ieRyy
WztEkcGnStL7uaM6mpRTnSDO6/qxUkhHsBqjuLseQq7f5piDCiMqgWVNpb71Gojn
I9cpQrAXsgn37SGYajTBFREZWO+7NDOP5xWB8Hi/fJwYT1IjH0kEG2m2brkyUpO8
+OI2RDtOjPA2dJtPGflRnwIrqA6+eVGITDJJI4+R5pvxt5Vr9HtH6UqTRXJbBQAu
/bXGJwHoOeYYCxMVX/BcOILsh1hKAFuY7PqOsQPCBQhgSEs4y1GT+eDNnTHh5zJF
KWOtn86+m+FkIzaqa28DOWrGKRy7n0PSA95lasg34F6NNEI5oY2UtDg8vewhYHFB
Wh+uPLz2ijbUgD1bB/sajAx7InxgUGl4fecCTxTytPyUHsK4xI9FlUfdK8sB0OSg
dN/q6o20EzZ5lb0lWL64Dx+nG6s1xSqHJfWWxnUgWihf4pPCbfxSJr0Rrs1kUGtT
rmILK8t5LLPIdAojkNA6LXegmWmUIqVEI7PEjpkbqrPdtN6d+oKD8Iaa9Zi21nx3
JEhL+0Va024aLQI2avcD
=dWzF
-----END PGP SIGNATURE-----
More information about the Users
mailing list