[strongSwan] manual bypass policy for client-server architecture using transport mode

Plevin phlevin at runbox.com
Wed Jul 13 16:53:31 CEST 2016


Hello Tobias,

Thanks much for your response.

FYI, the ipsec config you provided doesn't work without a strongSwan config change. Setting right to 127.0.0.1 causes 
strongSwan
to swapleft and right:

> Jul 13 12:06:41 07[CFG]  received stroke: add connection 'client-1-bypass'
 > ...
> Jul 13 12:06:41 07[CFG]  left is other host, swapping ends
> Jul 13 12:06:41  07[CFG] added configuration 'client-1-bypass'

As a result, the bypass policies become inverted and they never match - all traffic goes over the non-bypassed SA.

The simple solution is to set the following strongSwan config:

   charon.plugins.allow_swap = no

I'm not sure if one would be expected to make such a change in order to get this bypass scenario to function,
but that's what worked for me.

Regards.

Plevin

On 7/12/2016 4:36 AM, Tobias Brunner wrote:
> Hi Plevin,
>
>>> conn client-1-bypass
>>>               left=192.168.0.1
>>>               right=192.168.0.2
>>>               rightsubnet=192.168.0.2[tcp/5001]
>>>               leftfirewall=yes
>>>               type=passthrough
>>>               authby=secret
>>>               auto=add
> You configured this like a regular connection (left|right specified,
> leftfirewall=yes, authby=secret, auto=add).  So this might get
> established like one.  Instead you should set at least right to
> 127.0.0.1 so it won't get used as responder, and configure the traffic
> selectors via left|rightsubnet (e.g. leftsubnet=192.168.0.1/32,
> rightsubnet=192.168.0.2/32[tcp/5001]).  leftfirewall=yes has no effect
> here, so if you need firewall rules to allow that traffic you have to
> install them yourself.  And to install the policies when the config is
> loaded use auto=route.  Same on the other host:
>
>>> conn server-bypass
>>>               right=127.0.0.1
>>>               leftsubnet=192.168.0.2/32[tcp/5001]
>>>               rightsubnet=0.0.0.0/0
>>>               type=passthrough
>>>               auto=route
> Regards,
> Tobias
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160713/d3553e32/attachment.html>


More information about the Users mailing list