[strongSwan] manual bypass policy for client-server architecture using transport mode
phlevin at runbox.com
Wed Jul 13 16:53:31 CEST 2016
Thanks much for your response.
FYI, the ipsec config you provided doesn't work without a strongSwan config change. Setting right to 127.0.0.1 causes
to swapleft and right:
> Jul 13 12:06:41 07[CFG] received stroke: add connection 'client-1-bypass'
> Jul 13 12:06:41 07[CFG] left is other host, swapping ends
> Jul 13 12:06:41 07[CFG] added configuration 'client-1-bypass'
As a result, the bypass policies become inverted and they never match - all traffic goes over the non-bypassed SA.
The simple solution is to set the following strongSwan config:
charon.plugins.allow_swap = no
I'm not sure if one would be expected to make such a change in order to get this bypass scenario to function,
but that's what worked for me.
On 7/12/2016 4:36 AM, Tobias Brunner wrote:
> Hi Plevin,
>>> conn client-1-bypass
> You configured this like a regular connection (left|right specified,
> leftfirewall=yes, authby=secret, auto=add). So this might get
> established like one. Instead you should set at least right to
> 127.0.0.1 so it won't get used as responder, and configure the traffic
> selectors via left|rightsubnet (e.g. leftsubnet=192.168.0.1/32,
> rightsubnet=192.168.0.2/32[tcp/5001]). leftfirewall=yes has no effect
> here, so if you need firewall rules to allow that traffic you have to
> install them yourself. And to install the policies when the config is
> loaded use auto=route. Same on the other host:
>>> conn server-bypass
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users