Exclude Multiple Subnets In IPSec



  • Hi mates,

    I use IPSec to route some of my servers to connect to the internet through IPSec.
    When I create PH2 for specific IP and tunnel comes up everything works fine but my other subnets cannot communicate with that server.
    Is there any way to exclude my other subnets from These IPSec Tunnels?



  • Sorry but this is confusing.
    You say your subnets cannot work and you will "exclude" them from communication ? Makes no sense because why would you additionally exclude subnets which cannot work ? Excluding them means blocking them.
    Or do you want to make them work with your servers.
    That can be easily achived with widening the remote subnet mask in PH2.
    Suppose you have your local LANs all in the 10.1.x.y range with a 24 bit prefix 255.255.255.0 then just set the subnet mask to 16 bit like 10.1.0.0 /16.
    That will route all networks in the 10.1.x.y range into the tunnel to your servers.
    You can also add a static route but this is the quick an dirty solution and not the best on virtual interfaces !



  • Thank you for your reply,
    here's the scenario:
    I have 4 subnets

    1. LAN: 172.16.9.0/24
    2. MGMT: 172.16.121.0/24
    3. LAB1: 172.16.122.0/24
    4. LAB2: 172.16.123.0/24
      I want to route internet traffic for one of my servers in "LAB2" through IPSec, when the tunnel comes up the internet traffic for this server goes through the IPSec tunnel and works perfectly, but none of my machines in the other subnets cannot communicate with that server, I've tried everything in firewall rules but not hope.

Log in to reply