Hello, Just use a passthrough policy, if you use a policy based IPsec tunnel.
Kind regards Noel Am 26.09.18 um 22:17 schrieb Phil Frost: > There are other possible solutions, but my inclination would be to run > strongswan and any other VPN related services in a distinct network > namespace. This would not only address your issue, but it also prevents > accidentally "crossing the streams" between the VPN and other public networks > to which the host is attached. A common issue is the IKE daemon fails to > start or is misconfigured, and so the policies that normally encrypt traffic > on egress don't get installed, and traffic that should have been encrypted is > leaked on a public interface. > > https://vincent.bernat.ch/en/blog/2017-route-based-vpn is a tutorial I've > found helpful in the past. It covers BGP and a lot of other things beyond > your particular problem, but maybe ignoring those parts you may still find it > useful. > > On Wed, Sep 26, 2018 at 3:01 PM Doug Tucker <doug.tuc...@newscycle.com > <mailto:doug.tuc...@newscycle.com>> wrote: > > I've done some searching and am not finding any info on this. We had a > client who wanted to offer a /16 as his right subnet and his outside peer IP > of his ASA fell into the /16 they were offering. With a cisco ASA this is a > non issue as in this type of scenario cisco exempts out that single IP from > the routing table but with strongswan 5.6.3 it appears to not do so by > default and caused some odd routing anomalies to this IP. Does anyone know > of a configuration directive for dealing with this? > > > *Doug Tucker* > > Sr. Network Administrator > > *o: *817.975.5832 <tel:(817)%20975-5832>* | *m: 817.975.5832 > <tel:(817)%20975-5832> > > *e:* doug.tuc...@newscycle.com <mailto:doug.tuc...@newscycle.com> > > * * > > Newscycle Solutions <http://www.newscycle.com/> > > *Breakthrough technologies for media* > > * * > > *Twitter <http://www.twitter.com/newscycle_news>** | Facebook > <https://www.facebook.com/NEWSCYCLESolutions> | Linkedin > <https://www.linkedin.com/company/newscycle-solutions>*** > > * * > > CONFIDENTIALITY NOTICE: The contents of this email message and any > attachments are intended solely for the addressee(s) and may contain > confidential and/or privileged information and may be legally protected from > disclosure. If you are not the intended recipient of this message or their > agent, or if this message has been addressed to you in error, please > immediately alert the sender by reply email and then delete this message and > any attachments. If you are not the intended recipient, you are hereby > notified that any use, dissemination, copying, or storage of this message or > its attachments is strictly prohibited. > >
signature.asc
Description: OpenPGP digital signature
