Project

General

Profile

Bug #5826

Auto-exclude LAN address feature only works for the LAN interface

Added by Jim Pingle over 4 years ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
01/28/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

The "Auto-exclude LAN address" feature sets up the bypasslan block in strongSwan to exclude the LAN interface specifically from IPsec. Which works great for LAN but unfortunately other local subnets have no way to obtain the same protection for overlapping IPsec P2 networks.

Perhaps the control could be changed to a multi-select for all interfaces, or have a means to work for all local (e.g. interfaces without defined gateways)

Alternately, allowing negation P2 entries as mentioned in #3329 would be acceptable.

History

#1 Updated by Jim Thompson over 4 years ago

  • Assignee set to Steve Beaver

#2 Updated by Markus Stockhausen about 3 years ago

We have the same problem. For my reminder. Configuration is created by /etc/inc/vpn.inc in the following lines

if (!empty($lanip) && is_ipaddrv4($lanip)) {
$lansn = get_interface_subnet("lan") - 2;
$lansa = gen_subnet($lanip, $lansn);
$ipsecconf .= <<<EOD

conn bypasslan
leftsubnet = {$lansa}/{$lansn}
rightsubnet = {$lansa}/{$lansn}
authby = never
type = passthrough
auto = route

EOD;

#4 Updated by Jim Pingle 3 months ago

  • Status changed from New to Closed
  • Assignee deleted (Steve Beaver)
  • Target version deleted (Future)

Closing in favor of #3329 -- The PR linked above is already mentioned there and solves this issue as well.

Also available in: Atom PDF