Project

General

Profile

Issue #3420

how to setup IP pool that will not go through the vpn tunneling ?

Added by Royi Cohen 4 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.4
Resolution:

Description

is it possible to set IP addresses that when the client will try to connect to them, the connection will go directly and not go through the VPN tunneling?

I saw that I can define the destination IPs, but is it also support the ability to defined a list of IPs that will be bypass the VPN?

History

#1 Updated by Tobias Brunner 4 months ago

  • Category set to configuration
  • Status changed from New to Feedback

Have a look at passthrough policies, which clients can use to exclude certain traffic from VPN tunnels.

#2 Updated by Royi Cohen 3 months ago

something is not clear for me.

I have the following configuration in ipsec.conf:
conn ios
fragmentation=yes
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsourceip=10.0.0.0/16
auto=add
dpdaction = clear
dpddelay = 3600s

Is it possible to add on the server configuration an IP address that the client will not send the traffic to it via the VPN tunneling, by adding in the IPsec the following configuration for example ?:
conn passthrough-2
left=127.0.0.1
leftsubnet=192.168.0.0/16
rightsubnet=10.0.0.0/8
type=passthrough
auto=route

#3 Updated by Royi Cohen 3 months ago

a better example for my question, if I want to bypass the VPN tunneling on the client-side for 2 destinations IPs like 1.1.1.1 and 2.2.2.2, is adding the following conf to the ipsec.conf on the server will do the job?
conn passthrough_base
left=127.0.0.1
right=127.0.0.1
type=passthrough
auto=route

conn passthrough_1
also=passthrough_base
leftsubnet=0.0.0.0/0
rightsubnet=1.1.1.1./32, 2.2.2.2/32

#4 Updated by Tobias Brunner 3 months ago

Is it possible to add on the server configuration an IP address that the client will not send the traffic to it via the VPN tunneling

Only with IKEv1 and the proprietary Cisco Unity attributes (split-exclude). With IKEv2 you could use narrowing (i.e. change leftsubnet so it includes only subnets to tunnel), but excluding single IP addresses could result in a lot of traffic selectors (possibly too many) and not all clients support this.

is adding the following conf to the ipsec.conf on the server will do the job?

No, you have to configure such policies on the client. It's the one who decides what to tunnel.

#5 Updated by Royi Cohen 3 months ago

Tobias Brunner wrote:

... but excluding single IP addresses could result in a lot of traffic selectors (possibly too many) and not all clients support this.

Is this related to both options ? IKEv1 and IKEv2 ?

So there is not a good way for doing that ?

#6 Updated by Tobias Brunner 3 months ago

... but excluding single IP addresses could result in a lot of traffic selectors (possibly too many) and not all clients support this.

Is this related to both options ? IKEv1 and IKEv2 ?

No, only narrowing with IKEv2.

So there is not a good way for doing that ?

Not from the server.

Also available in: Atom PDF