July 6, 2014

ipsec local routing bypass

Suppose that you have a ipsec site-to-site network as follows:

On local: from 10.1.0.0/16 to 0.0.0.0/0  goes to remote ipsec
On remote: from 0.0.0.0/0 to 10.1.0.0/16 goes to ipsec

Now on local you have a subnet 10.1.1.0/24 that you want to talk to. For example, you local interface eth1 has 10.1.1.1, and there is another computer on your network 10.1.1.2. Now if you want to ping 10.1.1.2 it would not work, because the traffic is captured by the ipsec policy (use "ip xfrm policy" to show it) and directed to ipsec tunnel.

To add local route bypass, use this:
ip xfrm policy add dir in src 10.1.1.0/24 dst 10.1.1.0/24
ip xfrm policy add dir out src 10.1.1.0/24 dst 10.1.1.0/24

run this after your ipsec tunnel is up. Then you should be able to ping 10.1.1.2.

Note when I add polices directly use "setkey" it did not work for me.

Looks like StrongSwan can do this using config file section called "shunt" policies. Needs to try this.

No comments:

Post a Comment