IPsec route config

ipsec
vpn
v7

(Douglas Nogueira) #1

Nethserver 7.5
Module: IPsec

I closed a vpn with the following ip and mask settings.

Along with vpn the system added a route to the address 10.30.30.66/32 only with the default output interface, instead of the interface I closed the VPN. Soon I could not communicate with the ip on the other side, I had to remove the route and add manually.

Route added by nethserver:
rota1

Route manually added:
rota2

I solved the communication by adding the ip 10.0.4.220 as alias of the p1p3 interface, removing the route added by the system and inserting one manually.

Is there any other way to fix this?


(Michael Kicks) #2

I would like to understand why the tunnel was built like that.
Also, the subnet 10.0.4.0 is used for any other network segment?


(Douglas Nogueira) #3

My internal network is 10.0.0.0/16. This 10.0.4.0 is a subnet you use for a specific sector.

The vpn was made so due to a need of the other end. I was asked to use a specific IP with mask /32.

In this format it is working normal, I just wanted to find a way to remove the default route that IPsec entered when it goes up the VPN. That would be good for me.


(Michael Kicks) #4

I used a /32 configuration local side (a Windows Server) for allow remote connection only to that server. I also limited the ports using firewall rules allowing only RDP; the remote endpoint is a little network subnet; therefore, the remote endpoint is a “client-only” connection (software client on Windows PC) and the local one is the firewall, which alows connection only to the server. This enviroment has b3en realized with a Zyxel USG + Remote client.

Otherwise, i’ve seen IPSec used only for connecting sites, not hosts. I don’t know if the NethServer implementation (and route automation) of IPSec suits well with your scenario.
@dev_team ?


(Douglas Nogueira) #5

Right @pike . I have in a SonicWall a scenario identical to this. Of course a firewall like Sonicwall is already prepared for this kind of situation, which is not the case with Nethserver, which is a system and not an advanced Firewall.

The ideal solution to this would be the possibility to disable the automatic route and insert a custom after the tunnel construction. Usually when closing an IPsec tunnel, the required routing is done after that.

Anyway thank you for your comments.