IPSEC forward to LAN
-
Is there anything fundamentally wrong with running IPSEC on the LAN interface and port forwarding from WAN and WAN2 (I have 2 wan connections). I want to do this rather than run on the WAN interface as I want the tunnel to be available to users whether they use WAN or WAN2. Other than making the settings a little more complicated, are there security implications that I should be worried about?
-
There shouldn't be anything to worry about, security-wise, doing it that way. You might have some issues with IPsec+NAT in that way, but it may be OK. I suspect that if it works at all it may be fine.
-
After more investigation, it does indeed work properly doing what I suggested above.
I also noticed in the newer builds that when raccoon is started it binds to all interfaces current IP addresses. If I understand correctly, whatever interface that is set in the phase 1 setup, hidden firewall rules are automatically added to allow ports 500/4500 UDP for that interface. So what I did was set WAN 1 in the phase 1 setup and then on WAN2 I manually opened 500/4500 UDP. This also works. What I would like to know is what is the "best" way to do this from a security and not getting broken on upgrades perspective.
