[strongSwan] How to express negation in local_ts/remote_ts?
Glen Huang
heyhgl at gmail.com
Mon Oct 28 14:45:18 CET 2019
Sorry, I forgot to say, in my real case, I have quite a few holes to punch, leaving very fragmented ip ranges, thus the huge size.
From your reply, I assume they are the only two ways to enable split tunnel?
> On Oct 28, 2019, at 5:28 PM, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Glen,
>
>> Such inverted ts is really huge
>
> Huge? Excluding 1.0.0.0/8 from 0.0.0.0/0 results in eight subnets:
>
>
> 0.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/5,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/1
>
> I think that should be workable.
>
>> I can probably manually manipulate the routing table on the client to make it connect to these IPs directly, but that won’t work in a locked-down environment like iOS.
>>
>> I wonder if there is any other way?
>
> Passthrough/bypass policies and routing manipulations are both possible
> approaches for certain clients and scenarios, but it really depends.
> And as you say, some clients don't provide much flexibility at all.
>
> Regards,
> Tobias
More information about the Users
mailing list