Hi Noel, > I use bypass policies and just found out that strongSwan installs those with > a lower priority than the tunnel policies. > So bypass policies don't actually work some times.
The Linux kernel actually prefers policies with lower priorities (by their numeric value). > In this particular case, if I change the TS of a connection from > 192.168.178.0/24 172.16.20.0/24 == <censored>/32 172.16.21.0/24 > to 192.168.178.0/24 172.16.20.0/24 == 0.0.0.0/0, > all packets leave through the tunnel, although the bypass policies should > prevent that. Changing the remote TS to /0 should definitely increase the priority value (/24 === /0 should get you 2947 instead of 2883 for /24 on both sides). What particular packets (source/destination) do you see entering the tunnel? Do the counters increase (ip -s state)? What about the use times of the in/out bypass policies (ip -s policy)? > src 192.168.122.0/24 dst 0.0.0.0/0 > dir fwd priority 1443 > src 192.168.122.0/24 dst 0.0.0.0/0 > dir fwd priority 1443 This looks odd. The second policy above should be *in* not *fwd*. Typo? Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
