Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypassing ipsec with remote network of 0.0.0.0/0

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 786 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jgraham5481
      last edited by

      Hi, I have 2 Lans on my pfsense setup, 10.0.95.0/29 my corp lan, with an IPSec set to send all traffic over the tunnel. I also have my personal lan, 192.168.227.0/24. Per my rules I have a host on my personal lan that is allowed to hit any on my corp lan and rules to allow any on the corp lan to hit the host on my personal lan. When I ping the host on my personal from my corp lan, it tries to send it over the IPSec.
      How can I exclude that host or subnet from going over the tunnel? I already have the option for LAN bypass ticked in IPSec and that is as expected, any in the corp lan can ping the corp gateway.

      1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate
        last edited by

        What is your pfSense version?

        PR/feature request for IPsec bypass rules (for 2.5): https://redmine.pfsense.org/issues/3329

        J 1 Reply Last reply Reply Quote 0
        • J
          jgraham5481 @viktor_g
          last edited by

          @viktor_g
          Currently running 2.4.5 p1 on a 3100 appliance. If 2.5 is stable and better unleashes strongswan, I’m game. Tough to tell how stable it is. My config is simple, wan on dhcp, couple of lans, dhcp, dns, ipsec, a package for ups monitoring and using a couple of vlans on the switch. Seems like most folks that have issues also have weird configs like pppoe, things like that.

          1 Reply Last reply Reply Quote 0
          • L
            lolipoplo
            last edited by lolipoplo

            What is your " Local Network " in phase 2 config
            also , if you want to be precise, what's your "leftsubnet" in ipsec.conf

            please show your route table and interfaces of your IKE connected client
            also on your pfsense shell, dump your policy-based routing with setkey -DP

            1 Reply Last reply Reply Quote 0
            • J
              jgraham5481
              last edited by

              Local/left is 10.0.95.0/29 (my corp lan subenet).

              output below, public ip's protected:

              10.0.95.0/29[any] 10.0.95.0/29[any] any
              in none
              created: Jun 16 22:06:43 2020 lastused: Jun 19 22:26:18 2020
              lifetime: 2147483647(s) validtime: 0(s)
              spid=2 seq=3 pid=70974 scope=global
              refcnt=1
              0.0.0.0/0[any] 10.0.95.0/29[any] any
              in ipsec
              esp/tunnel/remotepublic-localpublic/unique:1
              created: Jun 19 16:56:38 2020 lastused: Jun 19 22:38:50 2020
              lifetime: 2147483647(s) validtime: 0(s)
              spid=41 seq=2 pid=70974 scope=global
              refcnt=44
              10.0.95.0/29[any] 10.0.95.0/29[any] any
              out none
              created: Jun 16 22:06:43 2020 lastused: Jun 19 22:26:18 2020
              lifetime: 2147483647(s) validtime: 0(s)
              spid=1 seq=1 pid=70974 scope=global
              refcnt=1
              10.0.95.0/29[any] 0.0.0.0/0[any] any
              out ipsec
              esp/tunnel/mypublic-remotepublic/unique:1
              created: Jun 19 16:56:38 2020 lastused: Jun 19 22:38:50 2020
              lifetime: 2147483647(s) validtime: 0(s)
              spid=42 seq=0 pid=70974 scope=global
              refcnt=44

              Also, I spun up a vm of the latest 2.5 version and don't see the bypass all locals option proposed in this: https://redmine.pfsense.org/issues/3329

              1 Reply Last reply Reply Quote 0
              • J
                jgraham5481
                last edited by

                Also, I know strong swan well enough to put in another bypass, but how to keep pfsense from overwriting it is beyond me. Making ipsec.conf read only wont do it and "chattr" doesn't seem to be a command in the shell.

                1 Reply Last reply Reply Quote 0
                • L
                  lolipoplo
                  last edited by lolipoplo

                  I don't see default routes like /0 networks in my IPSec policy.

                  Did you set it up for mobile clients or site-to-site?

                  manual config of IPSec.conf won't cut it. I think the entire ipsec directory is generated on demand.

                  Can you should your full ipsec.conf

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.