[strongSwan] manual bypass policy for client-server architecture using transport mode
Tobias Brunner
tobias at strongswan.org
Tue Jul 12 10:36:30 CEST 2016
Hi Plevin,
>> conn client-1-bypass
>> left=192.168.0.1
>> right=192.168.0.2
>> rightsubnet=192.168.0.2[tcp/5001]
>> leftfirewall=yes
>> type=passthrough
>> authby=secret
>> auto=add
You configured this like a regular connection (left|right specified,
leftfirewall=yes, authby=secret, auto=add). So this might get
established like one. Instead you should set at least right to
127.0.0.1 so it won't get used as responder, and configure the traffic
selectors via left|rightsubnet (e.g. leftsubnet=192.168.0.1/32,
rightsubnet=192.168.0.2/32[tcp/5001]). leftfirewall=yes has no effect
here, so if you need firewall rules to allow that traffic you have to
install them yourself. And to install the policies when the config is
loaded use auto=route. Same on the other host:
>> conn server-bypass
>> right=127.0.0.1
>> leftsubnet=192.168.0.2/32[tcp/5001]
>> rightsubnet=0.0.0.0/0
>> type=passthrough
>> auto=route
Regards,
Tobias
More information about the Users
mailing list