IPsec route config


(Douglas Nogueira) #1

Nethserver 7.5
Module: IPsec

I closed a vpn with the following ip and mask settings.

Along with vpn the system added a route to the address only with the default output interface, instead of the interface I closed the VPN. Soon I could not communicate with the ip on the other side, I had to remove the route and add manually.

Route added by nethserver:

Route manually added:

I solved the communication by adding the ip as alias of the p1p3 interface, removing the route added by the system and inserting one manually.

Is there any other way to fix this?

(Michael Kicks) #2

I would like to understand why the tunnel was built like that.
Also, the subnet is used for any other network segment?

(Douglas Nogueira) #3

My internal network is This is a subnet you use for a specific sector.

The vpn was made so due to a need of the other end. I was asked to use a specific IP with mask /32.

In this format it is working normal, I just wanted to find a way to remove the default route that IPsec entered when it goes up the VPN. That would be good for me.

(Michael Kicks) #4

I used a /32 configuration local side (a Windows Server) for allow remote connection only to that server. I also limited the ports using firewall rules allowing only RDP; the remote endpoint is a little network subnet; therefore, the remote endpoint is a “client-only” connection (software client on Windows PC) and the local one is the firewall, which alows connection only to the server. This enviroment has b3en realized with a Zyxel USG + Remote client.

Otherwise, i’ve seen IPSec used only for connecting sites, not hosts. I don’t know if the NethServer implementation (and route automation) of IPSec suits well with your scenario.
@dev_team ?

(Douglas Nogueira) #5

Right @pike . I have in a SonicWall a scenario identical to this. Of course a firewall like Sonicwall is already prepared for this kind of situation, which is not the case with Nethserver, which is a system and not an advanced Firewall.

The ideal solution to this would be the possibility to disable the automatic route and insert a custom after the tunnel construction. Usually when closing an IPsec tunnel, the required routing is done after that.

Anyway thank you for your comments.