Project

General

Profile

Actions

Bug #5826

closed

Auto-exclude LAN address feature only works for the LAN interface

Added by Jim Pingle almost 6 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
01/28/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The "Auto-exclude LAN address" feature sets up the bypasslan block in strongSwan to exclude the LAN interface specifically from IPsec. Which works great for LAN but unfortunately other local subnets have no way to obtain the same protection for overlapping IPsec P2 networks.

Perhaps the control could be changed to a multi-select for all interfaces, or have a means to work for all local (e.g. interfaces without defined gateways)

Alternately, allowing negation P2 entries as mentioned in #3329 would be acceptable.

Actions #1

Updated by Jim Thompson almost 6 years ago

  • Assignee set to Steve Beaver
Actions #2

Updated by Markus Stockhausen over 4 years ago

We have the same problem. For my reminder. Configuration is created by /etc/inc/vpn.inc in the following lines

if (!empty($lanip) && is_ipaddrv4($lanip)) {
$lansn = get_interface_subnet("lan") - 2;
$lansa = gen_subnet($lanip, $lansn);
$ipsecconf .= <<<EOD

conn bypasslan
leftsubnet = {$lansa}/{$lansn}
rightsubnet = {$lansa}/{$lansn}
authby = never
type = passthrough
auto = route

EOD;

Actions #4

Updated by Jim Pingle over 1 year ago

  • Status changed from New to Closed
  • Assignee deleted (Steve Beaver)
  • Target version deleted (Future)

Closing in favor of #3329 -- The PR linked above is already mentioned there and solves this issue as well.

Actions

Also available in: Atom PDF