Bug #5826
closed
Auto-exclude LAN address feature only works for the LAN interface
0%
Description
The "Auto-exclude LAN address" feature sets up the bypasslan block in strongSwan to exclude the LAN interface specifically from IPsec. Which works great for LAN but unfortunately other local subnets have no way to obtain the same protection for overlapping IPsec P2 networks.
Perhaps the control could be changed to a multi-select for all interfaces, or have a means to work for all local (e.g. interfaces without defined gateways)
Alternately, allowing negation P2 entries as mentioned in #3329 would be acceptable.
Updated by
Updated by Markus Stockhausen over 7 years ago
We have the same problem. For my reminder. Configuration is created by /etc/inc/vpn.inc in the following lines
if (!empty($lanip) && is_ipaddrv4($lanip)) {
$lansn = get_interface_subnet("lan") - 2;
$lansa = gen_subnet($lanip, $lansn);
$ipsecconf .= <<<EOD
conn bypasslan
leftsubnet = {$lansa}/{$lansn}
rightsubnet = {$lansa}/{$lansn}
authby = never
type = passthrough
auto = route
EOD;
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Closed
- Assignee deleted (
Anonymous) - Target version deleted (
Future)
Closing in favor of #3329 -- The PR linked above is already mentioned there and solves this issue as well.