Does 2.1 allow bypassing of IPSec with policy based routing?



  • If I connect two networks with an IPSec link, is there a way to use policy based routing with a floating ruled to snatch traffic away from the IPSec tunnel, or is that not possible?

    Basically, if I want to connect two networks with public IP addresses such as to have most traffic protected, but e.g. I want to access the web server like anyone else without going through the IPSec tunnel, can I do it, or grabs the IPSec tunnel everything before the floating rules even have a chance to direct the traffic to the regular gateway?

    Not having much success, but if I'm trying the impossible, that would explain that ;)


  • Rebel Alliance Developer Netgate

    I don't have one handy to try it with, but I believe that the traffic will just fall into the nether if you do that.

    FreeBSD's IPsec code will grab the packets that match the Phase 2 and try to make them enter the tunnel if they reach the system. The way route-to works, the packet would be leaving the firewall, but still matching the P2, but perhaps exiting the "wrong" way and thus the IPsec code may not let it leave since to do so would be a security violation of the IPsec policy.

    So, it may work. I'd be surprised if it did, but it's worth trying.