Unsurprisingly, it works because the plugin creates passthrough policies for all networks that are directly reachable without an intermediate hop.
On 11.10.2017 17:04, Christoph Gysin wrote: > Wow, thanks for the quick response. I managed to get it to work by > simply using the bypass-lan plugin: > > https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan > > Chris > > On Wed, Oct 11, 2017 at 5:44 PM, Noel Kuntze > <[email protected]> wrote: >> Use `ip link` instead. It shows you every possible detail about your network >> interfaces. `brctl` is deprecated. >> (e.g. `ip -d link show`) >> >> IPsec policies and routing are different things. You need to configure a >> passthrough policy for the traffic to/from the docker subnet. >> >> Kind regards >> >> Noel >> >> On 11.10.2017 16:38, Christoph Gysin wrote: >>> Docker creates a bridge docker0 and routes traffic through it: >>> >>> $ brctl show >>> bridge name bridge id STP enabled interfaces >>> docker0 8000.0242e39e4cfd no vethc5308b1 >>> >>> $ ip route >>> [...] >>> 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown >>> >>> After starting an ipsec connection, this stops working. >>> >>> I'm trying to understand how traffic is routed, and read: >>> https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routing >>> >>> I can see it created the routing table 220: >>> >>> $ ip route show table 220 >>> default via 10.181.24.1 dev wlp2s0 proto static src 10.191.2.52 >>> >>> I also found some pointers in https://wiki.strongswan.org/issues/1247, >>> but I'm still not sure what is the right way to fix this. >>> >>> How can I configure my system to allow traffic to 172.17.0.0/16 be >>> routed to docker0 even when the ipsec connection is up? >>> >>> Thanks, >>> Chris >> > > >
signature.asc
Description: OpenPGP digital signature
