[strongSwan] Bypass policies have too low priority
Tobias Brunner
tobias at strongswan.org
Thu Aug 21 09:54:09 CEST 2014
Hi Noel,
> I use bypass policies and just found out that strongSwan installs those with a lower priority than the tunnel policies.
> So bypass policies don't actually work some times.
The Linux kernel actually prefers policies with lower priorities (by
their numeric value).
> In this particular case, if I change the TS of a connection from 192.168.178.0/24 172.16.20.0/24 == <censored>/32 172.16.21.0/24
> to 192.168.178.0/24 172.16.20.0/24 == 0.0.0.0/0,
> all packets leave through the tunnel, although the bypass policies should prevent that.
Changing the remote TS to /0 should definitely increase the priority
value (/24 === /0 should get you 2947 instead of 2883 for /24 on both
sides).
What particular packets (source/destination) do you see entering the
tunnel? Do the counters increase (ip -s state)? What about the use
times of the in/out bypass policies (ip -s policy)?
> src 192.168.122.0/24 dst 0.0.0.0/0
> dir fwd priority 1443
> src 192.168.122.0/24 dst 0.0.0.0/0
> dir fwd priority 1443
This looks odd. The second policy above should be *in* not *fwd*. Typo?
Regards,
Tobias
More information about the Users
mailing list