On 14.9.2021. 13:12, Hrvoje Popovski wrote: > On 13.9.2021. 15:52, Stuart Henderson wrote: >> On 2021-09-13, Hrvoje Popovski <[email protected]> wrote: >>> On 13.9.2021. 14:08, Tom Smyth wrote: >>>> Can you do an exception for the ranges ... so internet - private ips >>>> you dont want over the tunnel) >>>> >>>> ike esp from 10.90.0.0/24 <http://10.90.0.0/24> to any encrypt >>>> and >>>> >>>> 10.90.0.0/24 <http://10.90.0.0/24> to NOT [networks you dont want >>>> over the tunnel) ? >>>> >>> >>> :) this was the first thought that i've had ... but i couldn't find how >>> to do it ... at least in man ipsec.conf or isakmpd.conf >>> >>> >> >> You do this with a "bypass flow" in /etc/ipsec.conf: >> >> flow from $network/$prefix to $network/$prefix type bypass >> >> and loading it with ipsecctl. Note if you use iked, you cannot configure >> this directly in iked.conf, but you can still use ipsecctl and ipsec.conf >> for this purpose in conjunction with iked for tunnel setup. >> >> > > Thank you guys ... with "type bypass" everything is working as expected > > c/p from config > ike esp from 10.90.0.0/24 to any \ > local $localip peer $peerip \ > main auth hmac-sha1 enc aes group modp1024 \ > quick enc aes-128-gcm group modp1024 \ > psk 123 > flow from 10.90.0.0/24 to 10.90.0.0/24 type bypass > flow from 10.90.0.0/24 to 10.91.0.0/24 type bypass > flow from 10.90.0.0/24 to 10.92.0.0/24 type bypass >
and if you have carp (multicast) than you need flow from 10.90.0.0/24 to 224.0.0.18/32 type bypass
