July 6, 2014

ipsec local routing bypass

Suppose that you have a ipsec site-to-site network as follows:

On local: from to  goes to remote ipsec
On remote: from to goes to ipsec

Now on local you have a subnet that you want to talk to. For example, you local interface eth1 has, and there is another computer on your network Now if you want to ping it would not work, because the traffic is captured by the ipsec policy (use "ip xfrm policy" to show it) and directed to ipsec tunnel.

To add local route bypass, use this:
ip xfrm policy add dir in src dst
ip xfrm policy add dir out src dst

run this after your ipsec tunnel is up. Then you should be able to ping

Note when I add polices directly use "setkey" it did not work for me.

Looks like StrongSwan can do this using config file section called "shunt" policies. Needs to try this.

No comments:

Post a Comment