> You don't actually even need an ipsec.conf file, you could just do
>
> $ echo 'flow from 192.0.2.1/32 to 192.0.2.2/32 type bypass' | doas ipsecctl
> -vf -
That would actually be a very simple solution and I would sure love it!
But testing doesn't show that as being the case. packets are still being
forwarded to enc0 even if they show as being bypass in the ipsecctl -sf
I did the forward and reverse entry to see the results. Setup two server
real quick to test and here the results with the simpler shorter version
of iked.conf and adding the bypass:
gateway$ doas cat /etc/iked.conf
ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com
ikev2 "Flow" active \
from re1 to tunnel.realconnect.com \
from re1 to stats.realconnect.com \
from 66.63.44.66 to 0.0.0.0/0 \
from 66.63.44.67 to 66.63.0.0/18 \
from 66.63.44.67 to christine-home.realconnect.com \
from home.ouellet.us to 0.0.0.0/0 \
from 66.63.44.96/28 to 0.0.0.0/0 \
peer tunnel.realconnect.com
gateway$ echo 'flow from 66.63.44.96/28 to 66.63.44.64/27 type bypass' |
doas ipsecctl -vf -
gateway$ echo 'flow from 66.63.44.64/27 to 66.63.44.96/28 type bypass' |
doas ipsecctl -vf -
And then check the flow to see if the bypass are present and they are as
below:
gateway$ doas ipsecctl -sf
flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 100.36.20.77 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp in from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp in from 216.15.33.137 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp out from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 216.15.33.137 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp out from 100.36.20.77 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from ::/0 to ::/0 type deny
But the packets are still sent to the enc0 however.
tcpdump show that:
gateway$ doas tcpdump -nli enc0 | grep icmp
tcpdump: listening on enc0, link-type ENC
17:29:15.778857 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:15.784287 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:16.789014 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:16.793698 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:17.799066 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:17.803543 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
^C
44 packets received by filter
0 packets dropped by kernel
if the bypass was active it shouldn't reach enc0 but go between re1 and
re2 as shown in the routing table for the test:
gateway$ doas route -n show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default 100.36.20.1 UGS 7 15559373 - 8 re0
224/4 127.0.0.1 URS 0 5756 32768 8 lo0
66.63.44.64/27 66.63.44.65 UCn 9 29469 - 4 re1
66.63.44.65 00:0d:b9:3e:d5:5d UHLl 0 56673 - 1 re1
66.63.44.66 00:0a:41:6b:84:1c UHLc 0 101716 - 3 re1
66.63.44.67 40:6c:8f:bc:5d:a8 UHLc 1 17896548 - 3 re1
66.63.44.72 00:1e:c0:11:ff:70 UHLc 0 576647 - 3 re1
66.63.44.73 b8:41:a4:5e:ad:41 UHLc 1 122361 - 3 re1
66.63.44.74 74:c2:46:ed:c0:1f UHLc 0 40926 - 3 re1
66.63.44.76 c8:2a:14:23:2a:a8 UHLc 1 29533 - 3 re1
66.63.44.90 00:25:90:31:31:b2 UHLc 0 126950 - 3 re1
66.63.44.93 38:ed:18:45:12:dd UHLc 0 2297 - 3 re1
66.63.44.94 b4:75:0e:63:d1:dc UHLc 0 29262 - 3 re1
66.63.44.95 66.63.44.65 UHb 0 12812 - 1 re1
66.63.44.96/28 66.63.44.97 UCn 2 93512 - 4 re2
66.63.44.97 00:0d:b9:3e:d5:5e UHLl 0 98042 - 1 re2
66.63.44.99 ac:1f:6b:b9:ef:8a UHLc 2 94146 - 3 re2
66.63.44.102 link#3 UHLc 0 93509 - 3 re2
66.63.44.111 66.63.44.97 UHb 0 9543 - 1 re2
100.36.20/24 100.36.20.77 UCn 1 0 - 4 re0
100.36.20.1 54:e0:32:be:cf:c9 UHLch 2 364 - 3 re0
100.36.20.77 00:0d:b9:3e:d5:5c UHLl 0 2551787 - 1 re0
100.36.20.255 100.36.20.77 UHb 0 0 - 1 re0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 2 783 32768 1 lo0
