• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec bypass-lan does not work / plugin missing

Scheduled Pinned Locked Moved IPsec
4 Posts 2 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    hege
    last edited by Aug 31, 2018, 3:18 PM

    Hello,

    we have the problem that the traffic is routed over the IPSec connection, although the target network is a local network that is connected via a second interface.

    Our network setup:

    Company NET: 10.64.0.0/10
    Headquarter: 10.64.0.0/16
    Branch office A: 10.65.0.0/16
    A-SubInterface1: 10.65.0.0/24
    A-SubInterface2: 10.65.1.0/24
    Branch office B: 10.66.0.0/16
    Branch office C: 10.67.0.0/16

    IPSec Settings:
    P2 10.65.0.0/16 <-> 10.64.0.0/10 (so each Branch office can reach the HQ and other branch offices, as far as the fw ruleset allows it.)

    According to https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan with the plugin enabled it should be possible to reach 10.65.1.X from 10.65.0.X. Instead the traffic always enters the ipsec interface

    What exactly does the option "Auto-exclude LAN address" do, because it seems to have nothing to do with the bypass-lan plugin, which does not seems to be available

    Status of IKE charon daemon (strongSwan 5.6.2, FreeBSD 11.1-RELEASE-p10, amd64):
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 4, 2018, 5:25 PM

      The pfSense option to exclude the LAN adds a set of SPDs that cause traffic from/to the interface internally labeled "lan" to not pass through IPsec.

      It only works with the first local interface (internally called "lan") and not with other local interfaces.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • H
        hege
        last edited by Sep 7, 2018, 8:02 PM

        Ok thanks, so in that case I'm looking forward for route-based IPsec.
        Is there any good reason why the lan bypass is implemented as a set of SPDs instead of using the appropriate strongswan plugin?

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 7, 2018, 8:28 PM

          I don't recall the history there specifically. I'm not familiar with that plugin myself. In the past, however, there were a number of strongSwan plugins that were not supported on FreeBSD or did not work properly there. It would not surprise me to find that was the case here, or that SPDs behaved in a more consistent and predictable manner.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received