[strongSwan] Exclude protocol from IPsec
Piyush Agarwal
agarwalpiyush at gmail.com
Wed May 24 02:59:36 CEST 2017
Turns out charon.plugins.stroke.allow_swap handling is missing (or there is
a bug) in 5.1.2.
I moved to 5.3.5 and I have unencrypted ping now working.
Thanks.
On Tue, May 23, 2017 at 5:02 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:
> After some googling, I tried two things:
> 1) changed strongswan.conf to set allow_swap = no:
>
> charon {
> install_routes = no
> load_modular = yes
> plugins {
> stroke {
> allow_swap = no
> }
> include strongswan.d/charon/*.conf
> }
>
> filelog {
> /var/run/charon.log {
> default = 2
> flush_line = yes
> }
> }
> }
>
>
> 2) added "allow_swap = no" in stroke.conf in /etc/strongswan.d/charon/
>
> But they did not help and I still see this log message in server's
> charon.log (and not client's):
>
> *10[CFG] left is other host, swapping ends*
>
>
> On Tue, May 23, 2017 at 4:25 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
> wrote:
>
>> Exactly, but nowhere in my config file do I find a mistake. How can I
>> correct the TS?
>>
>> Again, my config "skip" for passthrough only specifies leftsubnet and
>> rightsubnet (and they are indeed correct):
>>
>> Client's skip conn:
>> leftsubnet=1.100.0.9/32
>> rightsubnet=1.100.0.5/32
>>
>>
>> Server's skip conn:
>> leftsubnet=1.100.0.5/32
>> rightsubnet=1.100.0.9/32
>>
>> Why is the server's TS wrong then? Is this a bug? Right now I am running
>> 5.1.2 (but I also tried 5.3.5).
>>
>> Thanks.
>>
>> On Tue, May 23, 2017 at 4:20 PM, Noel Kuntze <noel at familie-kuntze.de>
>> wrote:
>>
>>> TS is oriented the wrong way.
>>>
>>>
>>> Am 24. Mai 2017 00:12:17 MESZ schrieb Piyush Agarwal <
>>> agarwalpiyush at gmail.com>:
>>>>
>>>> I see this in server's log, is that a red flag? The local address on
>>>> server 1.100.0.5 (client is 1.100.0.9).
>>>>
>>>> 13[CFG] received stroke: route 'skip'
>>>> 13[CFG] proposing traffic selectors for us:
>>>> 13[CFG] 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D>
>>>> 13[CFG] proposing traffic selectors for other:
>>>> 13[CFG] 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D>
>>>> 13[KNL] adding policy 1.100.0.9/32[icmp]
>>>> <http://1.100.0.9/32%5Bicmp%5D> === 1.100.0.5/32[icmp]
>>>> <http://1.100.0.5/32%5Bicmp%5D> out (mark 0/0x00000000)
>>>> 13[KNL] adding policy 1.100.0.5/32[icmp]
>>>> <http://1.100.0.5/32%5Bicmp%5D> === 1.100.0.9/32[icmp]
>>>> <http://1.100.0.9/32%5Bicmp%5D> in (mark 0/0x00000000)
>>>> 13[KNL] adding policy 1.100.0.5/32[icmp]
>>>> <http://1.100.0.5/32%5Bicmp%5D> === 1.100.0.9/32[icmp]
>>>> <http://1.100.0.9/32%5Bicmp%5D> fwd (mark 0/0x00000000)
>>>> 13[KNL] getting a local address in traffic selector 1.100.0.9/32[icmp]
>>>> <http://1.100.0.9/32%5Bicmp%5D>
>>>> *13[KNL] no local address found in traffic selector 1.100.0.9/32[icmp]
>>>> <http://1.100.0.9/32%5Bicmp%5D>*
>>>>
>>>>
>>>> On Tue, May 23, 2017 at 2:48 PM, <agarwalpiyush at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>> Thanks for the suggestion. With the change you recommended, I do see
>>>>> some progress. But here are the issues:
>>>>>
>>>>> 1) client -> server ping: I do see echo request is un-encrypted as
>>>>> seen by tcpdump on server's interface. But tcpdump on the server's
>>>>> interface shows no reply being generated (if I remove passthrough policy,
>>>>> the encrypted replies work just fine). I saw threads about strongswan using
>>>>> route table 220, but I don't see any output of "ip route show table 220".
>>>>> Why is "auto=route" required? How is it messing with the server side's echo
>>>>> reply, assuming that is the case? I tried with auto=start but that still
>>>>> had ICMP packets encrypted.
>>>>>
>>>>> 2) server -> client ping: I see server's ping show up encrypted on the
>>>>> client's interface. Client's interface tcpdump sees un-unencrypted echo
>>>>> reply. But this reply is not seen on server's interface at all!!
>>>>>
>>>>> Does the order of IP addresses in output of "Shunted policies" have
>>>>> any significance? I see server side is showing shunted connected as
>>>>> "client/32 == server/32" which is not what I expected.
>>>>>
>>>>> *Client output:*
>>>>> *client$:ipsec status*
>>>>> Shunted Connections:
>>>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
>>>>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>>>> Security Associations (1 up, 0 connecting):
>>>>> 1.100.0.5[1]: ESTABLISHED 8 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.5[C=US,
>>>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>>>> 1.100.0.5{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5067855_i
>>>>> cfc50c8b_o
>>>>> 1.100.0.5{1}: 1.100.0.9/32 === 1.100.0.5/32
>>>>>
>>>>> *Server output:*
>>>>> *server$:ipsec status*
>>>>> Shunted Connections:
>>>>> * skip: 1.100.0.9/32[icmp] <http://1.100.0.9/32%5Bicmp%5D> ===
>>>>> 1.100.0.5/32[icmp] <http://1.100.0.5/32%5Bicmp%5D> PASS*
>>>>> Security Associations (1 up, 0 connecting):
>>>>> 1.100.0.9[1]: ESTABLISHED 9 minutes ago, 1.100.0.5[C=US, ST=CA,
>>>>> L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]...1.100.0.9[C=US,
>>>>> ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=owca.com]
>>>>> 1.100.0.9{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfc50c8b_i
>>>>> c5067855_o
>>>>> 1.100.0.9{1}: 1.100.0.5/32 === 1.100.0.9/32
>>>>>
>>>>> Much appreciate any help. Racoon/setkey was very straightforward to
>>>>> get this working :( Hopefully it is a mistake I am making/misconfiguring
>>>>> etc.
>>>>>
>>>>> Reprinting the ipsec.conf (after changes were done):
>>>>> *Client:*
>>>>>
>>>>> conn skip
>>>>> type=passthrough
>>>>> left=127.0.0.1
>>>>> leftsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>>>> leftcert=client_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=server_cert.pem
>>>>> right=127.0.0.1
>>>>> rightsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>>>> auto=route
>>>>>
>>>>> conn 1.100.0.5
>>>>> type=transport
>>>>> left=1.100.0.9
>>>>> leftcert=client_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=server_cert.pem
>>>>> right=1.100.0.5
>>>>> reauth=no
>>>>> dpdaction=restart
>>>>> auto=start
>>>>>
>>>>> *Server:*
>>>>>
>>>>> conn skip
>>>>> type=passthrough
>>>>> left=127.0.0.1
>>>>> leftsubnet=1.100.0.5/32[icmp/] <http://1.100.0.5/32%5Bicmp/%5D>
>>>>> leftcert=server_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=client_cert.pem
>>>>> right=127.0.0.1
>>>>> rightsubnet=1.100.0.9/32[icmp/] <http://1.100.0.9/32%5Bicmp/%5D>
>>>>> auto=route
>>>>>
>>>>> conn 1.100.0.9
>>>>> type=transport
>>>>> left=1.100.0.5
>>>>> leftcert=server_cert.pem
>>>>> leftsendcert=always
>>>>> rightcert=client_cert.pem
>>>>> right=1.100.0.9
>>>>> reauth=no
>>>>> dpdaction=restart
>>>>> auto=add
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>> On Tuesday, May 23, 2017 at 12:30:15 PM UTC-7, Dusan Ilic wrote:
>>>>>>
>>>>>> Try following
>>>>>>
>>>>>> type=passthrough
>>>>>> left=127.0.0.1
>>>>>> leftsubnet=1.100.0.9/32[icmp/]
>>>>>> right=127.0.0.1
>>>>>> rightsubnet=1.100.0.5/32[icmp/]
>>>>>> auto=route
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---- agarwa... at gmail.com skrev ----
>>>>>>
>>>>>>
>>>>>> Reading another thread, I changed "right" of "skip" connection on
>>>>>> both client and server to be "127.0.0.1" and that fixed up a few
>>>>>> things:
>>>>>> 1) The IPsec installed is type transport (as desired)
>>>>>> 2) I do see shunted policies list ICMP PASS
>>>>>>
>>>>>> *However, I still have my pings from client to server encrypted :(*
>>>>>>
>>>>>> *Client:*
>>>>>> # ipsec statusall
>>>>>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic,
>>>>>> x86_64):
>>>>>> uptime: 10 minutes, since May 23 12:02:46 2017
>>>>>> malloc: sbrk 2564096, mmap 0, used 393728, free 2170368
>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>>>> scheduled: 3
>>>>>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
>>>>>> rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
>>>>>> pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>>>>>> socket-default stroke updown eap-identity addrblock
>>>>>> Listening IP addresses:
>>>>>> 1.100.0.9
>>>>>> Connections:
>>>>>> skip: %any...127.0.0.1 IKEv2
>>>>>> skip: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com"
>>>>>> skip: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>> skip: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com"
>>>>>> skip: child: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS
>>>>>> 1.100.0.5: 1.100.0.9...1.100.0.5 IKEv2, dpddelay=60s
>>>>>> 1.100.0.5: local: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com"
>>>>>> 1.100.0.5: remote: [C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com] uses public key authentication
>>>>>> 1.100.0.5: cert: "C=US, ST=CA, L=Mountain View, O=TEST,
>>>>>> OU=AgentC, CN=test.com"
>>>>>> 1.100.0.5: child: dynamic === dynamic *TRANSPORT*,
>>>>>> dpdaction=restart
>>>>>> *Shunted Connections:*
>>>>>> * skip: 0.0.0.0/0[icmp] === 0.0.0.0/0[icmp] PASS*
>>>>>> Security Associations (1 up, 0 connecting):
>>>>>> 1.100.0.5[1]: ESTABLISHED 10 minutes ago, 1.100.0.9[C=US, ST=CA,
>>>>>> L=Mountain View, O=TEST, OU=AgentC, CN=test.com]...1.100.0.5[C=US,
>>>>>> ST=CA, L=Mountain View, O=TEST, OU=AgentC, CN=test.com]
>>>>>> 1.100.0.5[1]: IKEv2 SPIs: be5caa6cea2281c2_i* 79bb5ad924d8d919_r,
>>>>>> rekeying in 44 minutes
>>>>>> 1.100.0.5[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H
>>>>>> MAC_SHA1/MODP_2048
>>>>>> 1.100.0.5{1}: INSTALLED, *TRANSPORT*, ESP SPIs: c989f733_i
>>>>>> c3f6a42e_o
>>>>>> 1.100.0.5{1}: AES_CBC_128/HMAC_SHA1_96, 520206 bytes_i (2551
>>>>>> pkts, 1s ago), 1691623 bytes_o (2986 pkts, 10s ago), rekeying in 5
>>>>>> minutes
>>>>>> 1.100.0.5{1}: *1.100.0.9/32 === 1.100.0.5/32*
>>>>>>
>>>>>>
>>>>>> *Client setkey -DP output:*
>>>>>> 1.100.0.5[any] 1.100.0.9[any] 255
>>>>>> in prio high + 1073740029 ipsec
>>>>>> esp/transport//unique:1
>>>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:52 2017
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=2248 seq=1 pid=176401
>>>>>> refcnt=11
>>>>>> 1.100.0.9[any] 1.100.0.5[any] 255
>>>>>> out prio high + 1073740029 ipsec
>>>>>> esp/transport//unique:1
>>>>>> created: May 23 12:18:12 2017 lastused: May 23 12:18:47 2017
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=2241 seq=2 pid=176401
>>>>>> refcnt=11
>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>> fwd prio high + 1073739774 none
>>>>>> created: May 23 12:02:46 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=2130 seq=3 pid=176401
>>>>>> refcnt=1
>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>> in prio high + 1073739774 none
>>>>>> created: May 23 12:02:46 2017 lastused: May 23 12:02:50 2017
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=2120 seq=4 pid=176401
>>>>>> refcnt=1
>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>> out prio high + 1073739774 none
>>>>>> created: May 23 12:02:46 2017 lastused:
>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>> spid=2113 seq=5 pid=176401
>>>>>> refcnt=1
>>>>>>
>>>>>>
>>>>>> On Tuesday, May 23, 2017 at 11:29:04 AM UTC-7, agarwa... at gmail.com
>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Noel,
>>>>>>> Many thanks for the pointer. Looks like I am missing something more
>>>>>>> or perhaps making a mistake.
>>>>>>>
>>>>>>> Client [1.100.0.9] -- Server [1.100.0.5]
>>>>>>>
>>>>>>> Goal: All non-ICMP traffic to be over IPsec tunnel between these two
>>>>>>> machines.
>>>>>>>
>>>>>>> Strongswan 5.1.2
>>>>>>>
>>>>>>> The client and server are using self-signed certificates and have
>>>>>>> each other's certs in /etc/ipsec.d/certs/
>>>>>>>
>>>>>>> *Client ipsec.conf <http://ipsec.conf>:*
>>>>>>>
>>>>>>> config setup
>>>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>>>>>>> tls 1, lib 0, enc 0, tnc 0"
>>>>>>> uniqueids=no
>>>>>>>
>>>>>>> conn %default
>>>>>>> ikelifetime=60m
>>>>>>> keylife=20m
>>>>>>> rekeymargin=3m
>>>>>>> keyingtries=1
>>>>>>> keyexchange=ikev2
>>>>>>> authby=rsasig
>>>>>>>
>>>>>>> conn skip
>>>>>>> type=*passthrough*
>>>>>>> left=1.100.0.9
>>>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>> leftcert=client_cert.pem
>>>>>>> leftsendcert=always
>>>>>>> rightcert=server_cert.pem
>>>>>>> right=1.100.0.5
>>>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>> auto=route
>>>>>>>
>>>>>>> conn 1.100.0.5
>>>>>>> type=*transport*
>>>>>>> left=1.100.0.9
>>>>>>> leftcert=client_cert.pem
>>>>>>> leftsendcert=always
>>>>>>> rightcert=server_cert.pem
>>>>>>> right=1.100.0.5
>>>>>>> reauth=no
>>>>>>> auto=start
>>>>>>>
>>>>>>> *Server ipsec.conf <http://ipsec.conf>:*
>>>>>>>
>>>>>>> config setup
>>>>>>> charondebug = "dmn 0,mgr 1, ike 2, job 2, cfg 2, knl 1, net 1,
>>>>>>> tls 1, lib 0, enc 0, tnc 0"
>>>>>>> uniqueids=no
>>>>>>>
>>>>>>> conn %default
>>>>>>> ikelifetime=60m
>>>>>>> keylife=20m
>>>>>>> rekeymargin=3m
>>>>>>> keyingtries=1
>>>>>>> keyexchange=ikev2
>>>>>>> authby=rsasig
>>>>>>>
>>>>>>> conn skip
>>>>>>> type=*passthrough*
>>>>>>> left=1.100.0.5
>>>>>>> leftsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>> leftcert=server_cert.pem
>>>>>>> leftsendcert=always
>>>>>>> rightcert=client_cert.pem
>>>>>>> right=1.100.0.9
>>>>>>> rightsubnet=0.0.0.0/0[icmp/] <http://0.0.0.0/0%5Bicmp/%5D>
>>>>>>> auto=route
>>>>>>>
>>>>>>> conn 1.100.0.9
>>>>>>> type=*transport*
>>>>>>> left=1.100.0.5
>>>>>>> leftcert=server_cert.pem
>>>>>>> leftsendcert=always
>>>>>>> rightcert=client_cert.pem
>>>>>>> right=1.100.0.9
>>>>>>> reauth=no
>>>>>>> auto=add
>>>>>>>
>>>>>>> =============
>>>>>>> Output of setkey -DP on client:
>>>>>>> root at agarwalpiyush0:/usr/local/google/home/agarwalpiyush/work/agent-v#
>>>>>>> ./sbin/nfv_cli dm_carl0 setkey -DP
>>>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>>>> fwd prio high + 1073740030 ipsec
>>>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=1834 seq=1 pid=103981
>>>>>>> refcnt=1
>>>>>>> 1.100.0.5 1.100.0.9 icmp
>>>>>>> in prio high + 1073740030 ipsec
>>>>>>> esp/tunnel/1.100.0.5-1.100.0.9/unique:1
>>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=1824 seq=2 pid=103981
>>>>>>> refcnt=1
>>>>>>> 1.100.0.9 1.100.0.5 icmp
>>>>>>> out prio high + 1073740030 ipsec
>>>>>>> esp/tunnel/1.100.0.9-1.100.0.5/unique:1
>>>>>>> created: May 23 11:21:42 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=1817 seq=3 pid=103981
>>>>>>> refcnt=1
>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>> fwd prio high + 1073739774 none
>>>>>>> created: May 23 11:21:31 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=1698 seq=4 pid=103981
>>>>>>> refcnt=1
>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>> in prio high + 1073739774 none
>>>>>>> created: May 23 11:21:31 2017 lastused: May 23 11:21:35
>>>>>>> 2017
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=1688 seq=5 pid=103981
>>>>>>> refcnt=2
>>>>>>> 0.0.0.0/0 0.0.0.0/0 icmp
>>>>>>> out prio high + 1073739774 none
>>>>>>> created: May 23 11:21:31 2017 lastused:
>>>>>>>
>>>>>>> lifetime: 0(s) validtime: 0(s)
>>>>>>> spid=1681 seq=6 pid=103981
>>>>>>> refcnt=1
>>>>>>>
>>>>>>>
>>>>>>> Questions:
>>>>>>> 1) I'd like a transport type IPsec session for all non-ICMP traffic
>>>>>>> between client and server. As soon as I specify "passthrough" policy, my
>>>>>>> IPsec session changes to type "tunnel" from output of ipsec status. Clearly
>>>>>>> I am not specifying passthrough policy correctly.
>>>>>>>
>>>>>>> 1) Do I need to specify left/right for my "skip" passthrough conn?
>>>>>>> If I do NOT specify left and right for skip connection, I see the IPsec
>>>>>>> type remains transport (which is good and what I want), I do see shunted
>>>>>>> policies in "ipsec status" but I still see ping packets are encrypted.
>>>>>>>
>>>>>>> Thank you for any help!
>>>>>>> Piyush
>>>>>>>
>>>>>>> On Monday, May 22, 2017 at 12:19:17 PM UTC-7, Noel Kuntze wrote:
>>>>>>>>
>>>>>>>> Add a passthrough policy for the protocol.
>>>>>>>>
>>>>>>>> Am 22. Mai 2017 19:09:03 MESZ schrieb Piyush Agarwal <
>>>>>>>> agarwa... at gmail.com>:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>> Reading through the left|rightsubnet, it seems like there is no
>>>>>>>>> way to *exclude* a protocol from getting encrypted?
>>>>>>>>>
>>>>>>>>> I have a host to host tunnel and I want to encrypt everything
>>>>>>>>> between these except ICMP since I'd like to do out-of-tunnel
>>>>>>>>> ping/traceroute.
>>>>>>>>>
>>>>>>>>> Prior to using strongswan, I was using racoon where I could use
>>>>>>>>> setkey to manually update the SPD to exclude icmp alone.
>>>>>>>>>
>>>>>>>>> Please advise if there is any way to achieve this with strongswan.
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Piyush Agarwal
>>>>>>>>> Life can only be understood backwards; but it must be lived
>>>>>>>>> forwards.
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Sent from mobile
>>>>>>>>
>>>>>>>
>>>>
>>>>
>>>> --
>>>> Piyush Agarwal
>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>
>>>
>>> --
>>> Sent from mobile
>>>
>>> --
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "strongswan-users" group.
>>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>>> pic/strongswan-users/xLYdnbbn71U/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to
>>> strongswan-users+unsubscribe at googlegroups.com.
>>> To post to this group, send email to strongswan-users at googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/ms
>>> gid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%40
>>> familie-kuntze.de
>>> <https://groups.google.com/d/msgid/strongswan-users/02D99C08-5DEC-463B-AC3B-C58B570D9F5E%40familie-kuntze.de?utm_medium=email&utm_source=footer>
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170523/a3dde9de/attachment-0001.html>
More information about the Users
mailing list