FS#55953 - [strongswan] add bypass-lan plugin
Attached to Project:
Community Packages
Opened by Christoph Gysin (christoph.gysin) - Wednesday, 11 October 2017, 15:11 GMT
Last edited by Christian Rebischke (Shibumi) - Friday, 13 October 2017, 19:22 GMT
Opened by Christoph Gysin (christoph.gysin) - Wednesday, 11 October 2017, 15:11 GMT
Last edited by Christian Rebischke (Shibumi) - Friday, 13 October 2017, 19:22 GMT
|
Details
Description:
I just spent a few hours debugging why I can't talk to docker containers on my local machine when an IPSec connection is up. Turns out, IPSec policies disregard all existing routes, including the one set up by docker to route traffic to the docker0 bridge. The solution was to enable the bypass-lan plugin: https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan "The bypass-lan plugin automatically installs and updates passthrough/bypass policies for locally attached subnets. This is useful for mobile hosts that are used in different networks that want to access local devices in these networks (e.g. printers or NAS) while connected to a VPN that would otherwise cover that traffic too (e.g. if the remote traffic selector is 0.0.0.0/0)." To enable the plugin, simply pass to ./configure: --enable-bypass-lan Also, unrelated to this issue, strongswan currently does not compile in arch because of: https://wiki.strongswan.org/issues/2425 So you might want to copy that patch too. |
This task depends upon
Closed by Christian Rebischke (Shibumi)
Friday, 13 October 2017, 19:22 GMT
Reason for closing: Fixed
Additional comments about closing: 5.6.0-2
Friday, 13 October 2017, 19:22 GMT
Reason for closing: Fixed
Additional comments about closing: 5.6.0-2

Thanks your link to the patch was very helpful. I have enabled
bypass-lan plugin. Checkout version 5.6.0-2