Project

General

Profile

Bug #4504

Bring back local network SPD exclusions for IPsec

Added by Jim Pingle over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
03/10/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.2
Affected Architecture:
All

Description

On 2.1.x and before, exclusions were added to prevent local traffic from entering IPsec, including traffic from the LAN network to the LAN interface and between other local networks. On 2.2 these have been removed.

Without these exclusions, it's impossible to have a functional tunnel that sends all traffic over IPsec (0.0.0.0/0 remote) or one that uses a summarized network remote (10.0.0.0/8 when the LAN is also a 10.x.x.x net).

I thought there was already a ticket for this but couldn't locate one. If the other one turns up, close this one and make sure the other is targeted for 2.2.2.

Associated revisions

Revision 53475389 (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel

Revision 0887e836 (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel

Revision 9b7ca37d (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4504 use correct key index

Revision b8eeddeb (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4504 use correct key index

Revision 755b75c7 (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4504 Provide a newline to generate proper config

Revision 491c76c8 (diff)
Added by Ermal Luçi over 4 years ago

Fixes #4504 Provide a newline to generate proper config

Revision 5a2ebbb1 (diff)
Added by Ermal Luçi over 4 years ago

Upgraded configurations should keep the default configuration of bypassing lan from ipsec. Ticket #4504

Revision 74eaabbb (diff)
Added by Ermal Luçi over 4 years ago

Upgraded configurations should keep the default configuration of bypassing lan from ipsec. Ticket #4504

Revision 8206b2d9 (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4504 actually make it correct

Revision 3d48d3c5 (diff)
Added by Ermal Luçi over 4 years ago

Ticket #4504 actually make it correct

Revision 600b4c3b (diff)
Added by Chris Buechler over 4 years ago

fix type. Ticket #4504

Revision c01f5dac (diff)
Added by Chris Buechler over 4 years ago

fix type. Ticket #4504

Revision 0a9e6c85 (diff)
Added by Chris Buechler over 4 years ago

Fix up Ticket #4504 implementation. Match config style with other areas. Use a config setting to disable, rather than enable, this functionality since it's enabled by default so the tag isn't necessary in the default config. Remove now unnecessary config upgrade code.

Revision c5292060 (diff)
Added by Chris Buechler over 4 years ago

Fix up Ticket #4504 implementation. Match config style with other areas. Use a config setting to disable, rather than enable, this functionality since it's enabled by default so the tag isn't necessary in the default config. Remove now unnecessary config upgrade code.

History

#1 Updated by Ermal Luçi over 4 years ago

  • Status changed from New to Feedback

#2 Updated by Ermal Luçi over 4 years ago

  • % Done changed from 0 to 100

#3 Updated by Ermal Luçi over 4 years ago

#4 Updated by Ermal Luçi over 4 years ago

#5 Updated by Ermal Luçi over 4 years ago

#6 Updated by Ermal Luçi over 4 years ago

#7 Updated by Ermal Luçi over 4 years ago

#8 Updated by Chris Buechler over 4 years ago

  • Status changed from Feedback to Resolved

the behavior is back to where it was in 2.1.5 and previous versions, excluding source LAN subnet, destination LAN IP.

Also available in: Atom PDF