Along with vpn the system added a route to the address 10.30.30.66/32 only with the default output interface, instead of the interface I closed the VPN. Soon I could not communicate with the ip on the other side, I had to remove the route and add manually.
Route added by nethserver:
Route manually added:
I solved the communication by adding the ip 10.0.4.220 as alias of the p1p3 interface, removing the route added by the system and inserting one manually.
My internal network is 10.0.0.0/16. This 10.0.4.0 is a subnet you use for a specific sector.
The vpn was made so due to a need of the other end. I was asked to use a specific IP with mask /32.
In this format it is working normal, I just wanted to find a way to remove the default route that IPsec entered when it goes up the VPN. That would be good for me.
I used a /32 configuration local side (a Windows Server) for allow remote connection only to that server. I also limited the ports using firewall rules allowing only RDP; the remote endpoint is a little network subnet; therefore, the remote endpoint is a “client-only” connection (software client on Windows PC) and the local one is the firewall, which alows connection only to the server. This enviroment has b3en realized with a Zyxel USG + Remote client.
Otherwise, i’ve seen IPSec used only for connecting sites, not hosts. I don’t know if the NethServer implementation (and route automation) of IPSec suits well with your scenario. @dev_team ?
Right @pike . I have in a SonicWall a scenario identical to this. Of course a firewall like Sonicwall is already prepared for this kind of situation, which is not the case with Nethserver, which is a system and not an advanced Firewall.
The ideal solution to this would be the possibility to disable the automatic route and insert a custom after the tunnel construction. Usually when closing an IPsec tunnel, the required routing is done after that.