Project

General

Profile

Actions

Feature #1109

closed

Allow prepending exception entries to SPD

Added by Bill Fenner almost 14 years ago. Updated almost 9 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
12/15/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I'm using pfsense 2.0 at a remote office, with an IPSEC site-to-site tunnel. Let's say that we have lots of sites, so we configured 10.0.0.0/8 as the remote subnet, and this is site 42, so we configured 10.42.0.0/16 as the local subnet.

This all works fine, until you try to add in OpenVPN on pfsense as well. The remote office users want to be able to VPN to their own office, and then also access headquarters and the rest of the network. Let's say we use 10.42.128.0/24 for the OpenVPN Tunnel Network. Users can connect, but all of their traffic gets dropped, and counted as "packets not forwardable" in "netstat -s". This is because they matched the 10.42.0.0/16 -> 10.0.0.0/8 SPD entry.

The SPD is designed to handle this situation: add entries like

spdadd 10.42.0.0/16 10.42.0.0/16 any -P in none ;
spdadd 10.42.0.0/16 10.42.0.0/16 any -P in none ;

first, before the SPD entries for the active tunnels. (The importance of SPD ordering is touched on in Feature #893.) I'd like a hook to be able to configure such entries.

Since the SPD is simply ordered, not longest-match, you could imagine a more complex situation requiring fully-ordered tunnels and exceptions, (e.g., a site-to-site tunnel to 10.42.192.0/24 would require SPD entries before the ones above), so it'd probably best to somehow make these exceptions enough like tunnels in the GUI that it's possible to reorder them all in one interface. (This is not strictly necessary, since you could create multiple SPD exception entries covering all of the space except for 10.42.192.0/24, but would sure be handy.)

Actions

Also available in: Atom PDF