On 13.9.2021. 15:52, Stuart Henderson wrote:
> On 2021-09-13, Hrvoje Popovski <hrv...@srce.hr> wrote:
>> On 13.9.2021. 14:08, Tom Smyth wrote:
>>> Can you do an exception for the ranges ... so internet - private ips
>>> you dont want over the tunnel)
>>>
>>> ike esp from 10.90.0.0/24 <http://10.90.0.0/24> to any encrypt
>>> and
>>>
>>> 10.90.0.0/24 <http://10.90.0.0/24> to NOT [networks you dont want
>>> over the tunnel) ?
>>>
>>
>> :) this was the first thought that i've had ... but i couldn't find how
>> to do it ... at least in man ipsec.conf or isakmpd.conf
>>
>>
>
> You do this with a "bypass flow" in /etc/ipsec.conf:
>
> flow from $network/$prefix to $network/$prefix type bypass
>
> and loading it with ipsecctl. Note if you use iked, you cannot configure
> this directly in iked.conf, but you can still use ipsecctl and ipsec.conf
> for this purpose in conjunction with iked for tunnel setup.
>
>
Thank you guys ... with "type bypass" everything is working as expected
c/p from config
ike esp from 10.90.0.0/24 to any \
local $localip peer $peerip \
main auth hmac-sha1 enc aes group modp1024 \
quick enc aes-128-gcm group modp1024 \
psk 123
flow from 10.90.0.0/24 to 10.90.0.0/24 type bypass
flow from 10.90.0.0/24 to 10.91.0.0/24 type bypass
flow from 10.90.0.0/24 to 10.92.0.0/24 type bypass
ipsecctl -sa | grep 10.9
flow esp in from 0.0.0.0/0 to 10.90.0.0/24 peer $peerip srcid $localip
dstid $peerip type require
flow esp in from 10.90.0.0/24 to 10.90.0.0/24 type bypass
flow esp in from 10.91.0.0/24 to 10.90.0.0/24 type bypass
flow esp in from 10.92.0.0/24 to 10.90.0.0/24 type bypass
flow esp out from 10.90.0.0/24 to 0.0.0.0/0 peer $peerip srcid $localip
dstid $peerip type require
flow esp out from 10.90.0.0/24 to 10.90.0.0/24 type bypass
flow esp out from 10.90.0.0/24 to 10.91.0.0/24 type bypass
flow esp out from 10.90.0.0/24 to 10.92.0.0/24 type bypass
