I’ve a test-setup for IPSec with PSK on ipfire v153, so clients from iOS and Android can connect to our office’s ipfire firewall.
Connections only works when setting the Traffic Selector to 0.0.0.0/0 (IPSec > Local Subnet) but then the whole client’s traffic passes through the tunnel, which I would like to avoid.
OpenVPN works for our Desktop PC’s with split tunneling, but israther complicated for iOS and Android devices to setup for now…that’s why I would like to try with IPSec.
Since ipfire’s IPSec implementation is based on strongSwan I’ve found out that the “bypass-plugin” allows split tunneling so that traffic “can be passthrough/bypass by policies for locally attached subnets”:
Is strongSwan’s “bypass-lan” plugin on the latest ipFire enabled by default ?
I couldn’t find the file “/etc/strongswan.d/charon/bypass-lan.conf”…
I created the file /etc/strongswan.d/charon/bypass-lan.conf with this content:
load = yes
After that I created the “conn passthrough-1” in /etc/ipsec.user.conf:
conn passthrough-1 left=127.0.0.1 leftsubnet=192.168.64.0/24 rightsubnet=10.220.70.0/24 type=passthrough auto=route
When doing a “ipsec restart” checking the /var/log/messages it spits out:
ipsec_start: 'passthrough-1' shunt PASS policy installed
This seems to indicate that a PASSTHROUGH policy is enabled, but not sure…
However in my setup the “passthrough-1” connection just blocks the traffic,
so not really sure if the bypass-lan plugin really works…
If anyone has a suggestion or another setup it would be really appreciated!
Here’s the setup:
Host-to-Net Virtual Private Network (RoadWarrior): 10.220.70.0/255.255.255.0
Local Subnet: 0.0.0.0/0
version 2 conn %default keyingtries=%forever include /etc/ipsec.user.conf conn IPsecPSK left=%defaultroute leftsubnet=0.0.0.0/0 leftfirewall=yes lefthostaccess=yes right=%any leftid="@gate.example.org" rightid="email@example.com" type=tunnel ike=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_384-modp4096,aes256-sha2_384-modp3072,aes256-sha2_384-modp2048,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048! esp=aes256-sha2_384,aes256-sha2_256! keyexchange=ikev2 ikelifetime=3h keylife=1h mobike=yes dpdaction=clear dpddelay=30 dpdtimeout=120 authby=secret auto=add rightsourceip=10.220.70.0/255.255.255.0 fragmentation=yes
conn IPsecPSK leftallowany=yes rekey=yes reauth=no rightdns=192.168.64.1 conn passthrough-1 left=127.0.0.1 leftsubnet=192.168.64.0/24 rightsubnet=10.220.70.0/24 type=passthrough auto=route