On 14.9.2021. 13:12, Hrvoje Popovski wrote:
> On 13.9.2021. 15:52, Stuart Henderson wrote:
>> On 2021-09-13, Hrvoje Popovski <hrvoje@srce.hr> wrote:
>>> On 13.9.2021. 14:08, Tom Smyth wrote:
>>>> Can you do an exception for the ranges ... so internet - private ips
>>>> you dont want over the tunnel)
>>>>
>>>> ike esp from 10.90.0.0/24 <http://10.90.0.0/24> to any encrypt
>>>> and
>>>>
>>>> 10.90.0.0/24 <http://10.90.0.0/24> to NOT [networks you dont want
>>>> over the tunnel) ?
>>>>
>>>
>>> :) this was the first thought that i've had ... but i couldn't find how
>>> to do it ... at least in man ipsec.conf or isakmpd.conf
>>>
>>>
>>
>> You do this with a "bypass flow" in /etc/ipsec.conf:
>>
>> flow from $network/$prefix to $network/$prefix type bypass
>>
>> and loading it with ipsecctl. Note if you use iked, you cannot configure
>> this directly in iked.conf, but you can still use ipsecctl and ipsec.conf
>> for this purpose in conjunction with iked for tunnel setup.
>>
>>
>
> Thank you guys ... with "type bypass" everything is working as expected
>
> c/p from config
> ike esp from 10.90.0.0/24 to any \
> local $localip peer $peerip \
> main auth hmac-sha1 enc aes group modp1024 \
> quick enc aes-128-gcm group modp1024 \
> psk 123
> flow from 10.90.0.0/24 to 10.90.0.0/24 type bypass
> flow from 10.90.0.0/24 to 10.91.0.0/24 type bypass
> flow from 10.90.0.0/24 to 10.92.0.0/24 type bypass
>
and if you have carp (multicast) than you need
flow from 10.90.0.0/24 to 224.0.0.18/32 type bypass
No comments:
Post a Comment