[strongSwan] manual bypass policy for client-server architecture using transport mode

Tobias Brunner tobias at strongswan.org
Tue Jul 12 10:36:30 CEST 2016

Hi Plevin,

>> conn client-1-bypass
>>              left=
>>              right=
>>              rightsubnet=[tcp/5001]
>>              leftfirewall=yes
>>              type=passthrough
>>              authby=secret
>>              auto=add

You configured this like a regular connection (left|right specified,
leftfirewall=yes, authby=secret, auto=add).  So this might get
established like one.  Instead you should set at least right to so it won't get used as responder, and configure the traffic
selectors via left|rightsubnet (e.g. leftsubnet=,
rightsubnet=[tcp/5001]).  leftfirewall=yes has no effect
here, so if you need firewall rules to allow that traffic you have to
install them yourself.  And to install the policies when the config is
loaded use auto=route.  Same on the other host:

>> conn server-bypass
>>              right=
>>              leftsubnet=[tcp/5001]
>>              rightsubnet=
>>              type=passthrough
>>              auto=route


More information about the Users mailing list