Project

General

Profile

Actions

Feature #3329

closed

Allow creating "not" rules for IPsec Phase 2

Added by Jim Pingle almost 8 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
11/19/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

We should have the ability in Phase 2 to negate the action ("none" in the SPD) so that specific traffic can be made to not enter an IPsec tunnel.

Somewhat related to #3328 (reordering P2 entries) so these exceptions can be moved above the other entries as needed.

These entries would not need to have any encryption options chosen, only the networks defined.


Files

shunt.png (21.9 KB) shunt.png Markus Stockhausen, 07/28/2017 02:20 PM
Actions #1

Updated by Jim Thompson about 7 years ago

  • Assignee set to Renato Botelho
Actions #2

Updated by Ermal Luçi about 7 years ago

Now these should be called specifc policies.

Since phase2 is totally managed by the ipsec daemon there can be what is called shunt policies.
I am not sure where to put these on the GUI at this moment though!

Actions #3

Updated by Chris Buechler almost 7 years ago

  • Target version deleted (2.2)

not important for 2.2

Actions #4

Updated by Markus Stockhausen about 4 years ago

This feature wil be really helpful. Lets assume a office firewall connected to a HQ firewall. It serves sub multiple small subnets via different interfaces. Lets assumes these are 10.11.12.0/24 (LAN) and 10.20.30.0/24 (OPT1). To build a working routing one would need tens of SAs and build them around the subnets.

A simple implementation could be a single checkbox for each SA. If it is set the local SA part will create a shunt entry in ipsec.conf

Actions #5

Updated by Markus Stockhausen about 4 years ago

Example implementation

Actions #6

Updated by NCATS LAB about 3 years ago

Strongly Request feature.

We just lost a lot of time because this isn't implemented on SG-4860s.

On our REMOTE SG-4860, we has set up bridging for OPT1-OPT4 and couldn't figure out why everything worked to the GATEWAY except testing the DEF GW with PING.

System should be flexible enough to allow IPSEC tunnels on any interface without some background rule that only makes exceptions on LAN.

Thank-you

Actions #8

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Pull Request Review
Actions #9

Updated by Renato Botelho about 1 year ago

  • Status changed from Pull Request Review to Feedback
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #10

Updated by Steve Beaver about 1 year ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF