Hello,
I’ve a test-setup for IPSec with PSK on ipfire v153, so clients from iOS and Android can connect to our office’s ipfire firewall.
Connections only works when setting the Traffic Selector to 0.0.0.0/0 (IPSec > Local Subnet) but then the whole client’s traffic passes through the tunnel, which I would like to avoid.
OpenVPN works for our Desktop PC’s with split tunneling, but israther complicated for iOS and Android devices to setup for now…that’s why I would like to try with IPSec.
Since ipfire’s IPSec implementation is based on strongSwan I’ve found out that the “bypass-plugin” allows split tunneling so that traffic “can be passthrough/bypass by policies for locally attached subnets”:
https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan
My question:
Is strongSwan’s “bypass-lan” plugin on the latest ipFire enabled by default ?
I couldn’t find the file “/etc/strongswan.d/charon/bypass-lan.conf”…
I created the file /etc/strongswan.d/charon/bypass-lan.conf with this content:
bypass-lan {
load = yes
}
After that I created the “conn passthrough-1” in /etc/ipsec.user.conf:
conn passthrough-1
left=127.0.0.1
leftsubnet=192.168.64.0/24
rightsubnet=10.220.70.0/24
type=passthrough
auto=route
When doing a “ipsec restart” checking the /var/log/messages it spits out:
ipsec_start[19843]: 'passthrough-1' shunt PASS policy installed
This seems to indicate that a PASSTHROUGH policy is enabled, but not sure…
However in my setup the “passthrough-1” connection just blocks the traffic,
so not really sure if the bypass-lan plugin really works…
If anyone has a suggestion or another setup it would be really appreciated!
Here’s the setup:
Host-to-Net Virtual Private Network (RoadWarrior): 10.220.70.0/255.255.255.0
Local Subnet: 0.0.0.0/0
cat /etc/ipsec.user.conf
version 2
conn %default
keyingtries=%forever
include /etc/ipsec.user.conf
conn IPsecPSK
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
lefthostaccess=yes
right=%any
leftid="@gate.example.org"
rightid="test@example.org"
type=tunnel
ike=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_384-modp4096,aes256-sha2_384-modp3072,aes256-sha2_384-modp2048,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048!
esp=aes256-sha2_384,aes256-sha2_256!
keyexchange=ikev2
ikelifetime=3h
keylife=1h
mobike=yes
dpdaction=clear
dpddelay=30
dpdtimeout=120
authby=secret
auto=add
rightsourceip=10.220.70.0/255.255.255.0
fragmentation=yes
cat /etc/ipsec.user.conf
conn IPsecPSK
leftallowany=yes
rekey=yes
reauth=no
rightdns=192.168.64.1
conn passthrough-1
left=127.0.0.1
leftsubnet=192.168.64.0/24
rightsubnet=10.220.70.0/24
type=passthrough
auto=route