how to setup IP pool that will not go through the vpn tunneling ?
is it possible to set IP addresses that when the client will try to connect to them, the connection will go directly and not go through the VPN tunneling?
I saw that I can define the destination IPs, but is it also support the ability to defined a list of IPs that will be bypass the VPN?
#2 Updated by Royi Cohen 6 months ago
something is not clear for me.
I have the following configuration in ipsec.conf:
dpdaction = clear
dpddelay = 3600s
Is it possible to add on the server configuration an IP address that the client will not send the traffic to it via the VPN tunneling, by adding in the IPsec the following configuration for example ?:
#3 Updated by Royi Cohen 6 months ago
a better example for my question, if I want to bypass the VPN tunneling on the client-side for 2 destinations IPs like 188.8.131.52 and 184.108.40.206, is adding the following conf to the ipsec.conf on the server will do the job?
#4 Updated by Tobias Brunner 6 months ago
Is it possible to add on the server configuration an IP address that the client will not send the traffic to it via the VPN tunneling
Only with IKEv1 and the proprietary Cisco Unity attributes (split-exclude). With IKEv2 you could use narrowing (i.e. change leftsubnet so it includes only subnets to tunnel), but excluding single IP addresses could result in a lot of traffic selectors (possibly too many) and not all clients support this.
is adding the following conf to the ipsec.conf on the server will do the job?
No, you have to configure such policies on the client. It's the one who decides what to tunnel.
#6 Updated by Tobias Brunner 6 months ago
... but excluding single IP addresses could result in a lot of traffic selectors (possibly too many) and not all clients support this.
Is this related to both options ? IKEv1 and IKEv2 ?
No, only narrowing with IKEv2.
So there is not a good way for doing that ?
Not from the server.