Hello Tobias, Thanks much for your response.
FYI, the ipsec config you provided doesn't work without a strongSwan config change. Setting right to 127.0.0.1 causes strongSwan
to swapleft and right:
Jul 13 12:06:41 07[CFG] received stroke: add connection 'client-1-bypass'
> ...
Jul 13 12:06:41 07[CFG] left is other host, swapping ends Jul 13 12:06:41 07[CFG] added configuration 'client-1-bypass'
As a result, the bypass policies become inverted and they never match - all traffic goes over the non-bypassed SA. The simple solution is to set the following strongSwan config: charon.plugins.allow_swap = no I'm not sure if one would be expected to make such a change in order to get this bypass scenario to function, but that's what worked for me. Regards. Plevin On 7/12/2016 4:36 AM, Tobias Brunner wrote:
Hi Plevin,conn client-1-bypass left=192.168.0.1 right=192.168.0.2 rightsubnet=192.168.0.2[tcp/5001] leftfirewall=yes type=passthrough authby=secret auto=addYou configured this like a regular connection (left|right specified, leftfirewall=yes, authby=secret, auto=add). So this might get established like one. Instead you should set at least right to 127.0.0.1 so it won't get used as responder, and configure the traffic selectors via left|rightsubnet (e.g. leftsubnet=192.168.0.1/32, rightsubnet=192.168.0.2/32[tcp/5001]). leftfirewall=yes has no effect here, so if you need firewall rules to allow that traffic you have to install them yourself. And to install the policies when the config is loaded use auto=route. Same on the other host:conn server-bypass right=127.0.0.1 leftsubnet=192.168.0.2/32[tcp/5001] rightsubnet=0.0.0.0/0 type=passthrough auto=routeRegards, Tobias
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
