Project

General

Profile

Issue #3114

'bypass' of strongswan for openwrt

Added by zhenxing huang 14 days ago. Updated 11 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
documentation
Affected version:
5.6.3
Resolution:
No change required

Description

Hello
everyone
I have tried all the solutions, so I have to ask everyone here.

I am established up a vpn tunnel use two openwrt by strongswan

#ipsec status :
Security Associations (1 up, 0 connecting):
a[56]: ESTABLISHED 12 seconds ago, local_wan_IP[localIP]...remoteIP[remoteIP]
a{33}: INSTALLED, TUNNEL, reqid 22, ESP in UDP SPIs: c4d0570b_i c694128f_o
a{33}: 192.168.3.0/24 === 0.0.0.0/0

Created the rule and route by system:

#ip route show table 220
default via local_wan_IP_gateway dev eth1 proto static src 192.168.3.1

(All client can't access internet this time,Can't access openwrt_lan_ip:192.168.3.1 also).

I'm insert the route to table 220

#ip route add 192.168.3.0/24 dev br-lan src 192.168.3.1 table 220

(All client can access internet via traffic of local isp now , this is what I expected
Client can't access openwrt_lan_ip:192.168.3.1 still)

Problem is:
Why traffic to remote_openwrt when execute tracert ip ?
Why when anyone client tracert any external_IP after that all client is down until delete and reinsert the route manually or wait the CHILD_SA(c4d0570b_i c694128f_o) is changed ?
How to access openwrt_lan_ip (There is no bypass plugin here.)

#traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 * * *
2 _local_wan_IP_ 3093.182 ms !H 3116.784 ms !H
(traceroute is end)

Please help.thank you.

History

#1 Updated by Tobias Brunner 14 days ago

  • Description updated (diff)
  • Status changed from New to Feedback

Sorry I don't get what you are asking. You might want to read ForwardingAndSplitTunneling, sounds like it could be related.

#2 Updated by zhenxing huang 12 days ago

Tobias Brunner wrote:

Sorry I don't get what you are asking. You might want to read ForwardingAndSplitTunneling, sounds like it could be related.

Thank you for you response.

I have remote traffic selector is 0.0.0.0/0 on openwrt and there is none ipk packages of bypass-lan.
My subnets want to access local devices.

How do i do ? thank you.

#3 Updated by Noel Kuntze 12 days ago

Just configure your required passthrough policy manually in ipsec.conf or swanctl.conf, depending on what configuration file you're using. The bypass-lan plugin and manually configured passthrough policies are not mututally exclusive.

The UsableExamples article has examples for passthrough policies under the "Passthrough policy" heading.

#4 Updated by zhenxing huang 11 days ago

Noel Kuntze wrote:

Just configure your required passthrough policy manually in ipsec.conf or swanctl.conf, depending on what configuration file you're using. The bypass-lan plugin and manually configured passthrough policies are not mututally exclusive.

The UsableExamples article has examples for passthrough policies under the "Passthrough policy" heading.

Yes ,Perfect。
solved
Thank you very much !!

#5 Updated by Noel Kuntze 11 days ago

  • Category set to documentation
  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF