IPSec bypass-lan plugin to avoid all tunnel traffic?

Hello,

I’ve a test-setup for IPSec with PSK on ipfire v153, so clients from iOS and Android can connect to our office’s ipfire firewall.
Connections only works when setting the Traffic Selector to 0.0.0.0/0 (IPSec > Local Subnet) but then the whole client’s traffic passes through the tunnel, which I would like to avoid.

OpenVPN works for our Desktop PC’s with split tunneling, but israther complicated for iOS and Android devices to setup for now…that’s why I would like to try with IPSec.

Since ipfire’s IPSec implementation is based on strongSwan I’ve found out that the “bypass-plugin” allows split tunneling so that traffic “can be passthrough/bypass by policies for locally attached subnets”:
https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan

My question:
Is strongSwan’s “bypass-lan” plugin on the latest ipFire enabled by default ?
I couldn’t find the file “/etc/strongswan.d/charon/bypass-lan.conf”…

I created the file /etc/strongswan.d/charon/bypass-lan.conf with this content:

bypass-lan {
load = yes
}

After that I created the “conn passthrough-1” in /etc/ipsec.user.conf:

conn passthrough-1
   left=127.0.0.1
   leftsubnet=192.168.64.0/24
   rightsubnet=10.220.70.0/24
   type=passthrough
   auto=route

When doing a “ipsec restart” checking the /var/log/messages it spits out:
ipsec_start[19843]: 'passthrough-1' shunt PASS policy installed

This seems to indicate that a PASSTHROUGH policy is enabled, but not sure…

However in my setup the “passthrough-1” connection just blocks the traffic,
so not really sure if the bypass-lan plugin really works…

If anyone has a suggestion or another setup it would be really appreciated!

Here’s the setup:

Host-to-Net Virtual Private Network (RoadWarrior): 10.220.70.0/255.255.255.0
Local Subnet: 0.0.0.0/0

cat /etc/ipsec.user.conf

version 2

conn %default
	keyingtries=%forever

include /etc/ipsec.user.conf

conn IPsecPSK
	left=%defaultroute
	leftsubnet=0.0.0.0/0
	leftfirewall=yes
	lefthostaccess=yes
	right=%any
	leftid="@gate.example.org"
	rightid="test@example.org"
	type=tunnel
	ike=aes256-sha2_384-ecp384,aes256-sha2_384-ecp256,aes256-sha2_384-modp4096,aes256-sha2_384-modp3072,aes256-sha2_384-modp2048,aes256-sha2_256-ecp384,aes256-sha2_256-ecp256,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048!
	esp=aes256-sha2_384,aes256-sha2_256!
	keyexchange=ikev2
	ikelifetime=3h
	keylife=1h
	mobike=yes
	dpdaction=clear
	dpddelay=30
	dpdtimeout=120
	authby=secret
	auto=add
	rightsourceip=10.220.70.0/255.255.255.0
	fragmentation=yes

cat /etc/ipsec.user.conf

conn IPsecPSK
    leftallowany=yes
    rekey=yes
    reauth=no
    rightdns=192.168.64.1
    
conn passthrough-1
   left=127.0.0.1
   leftsubnet=192.168.64.0/24
   rightsubnet=10.220.70.0/24
   type=passthrough
   auto=route

Strangely enough it’s working now:
I disabled the IPsec configuration and for a few days after restarting it’s working the whole traffic is correctly split…maybe some cache problems with StrongSwan.

I removed also the unnecessary “conn passthrough-1” in /etc/ipsec.user.conf and removed my /etc/strongswan.d/charon/bypass-lan.conf file…seems to work.

Just the DHCP/DNS is not resolving for the connected clients, need to check further…now running on ipfire 2.25 Core Update 154.

cheers

gilles

Have you configured a roadwarrior subnet on the main IPSec page? That could be a reason why DHCP is not working. DNS could be remedied by adding “rightdns =” to a conn section in ipsec.user.conf.