Bypassing ipsec with remote network of 0.0.0.0/0
-
Hi, I have 2 Lans on my pfsense setup, 10.0.95.0/29 my corp lan, with an IPSec set to send all traffic over the tunnel. I also have my personal lan, 192.168.227.0/24. Per my rules I have a host on my personal lan that is allowed to hit any on my corp lan and rules to allow any on the corp lan to hit the host on my personal lan. When I ping the host on my personal from my corp lan, it tries to send it over the IPSec.
How can I exclude that host or subnet from going over the tunnel? I already have the option for LAN bypass ticked in IPSec and that is as expected, any in the corp lan can ping the corp gateway. -
What is your pfSense version?
PR/feature request for IPsec bypass rules (for 2.5): https://redmine.pfsense.org/issues/3329
-
@viktor_g
Currently running 2.4.5 p1 on a 3100 appliance. If 2.5 is stable and better unleashes strongswan, I’m game. Tough to tell how stable it is. My config is simple, wan on dhcp, couple of lans, dhcp, dns, ipsec, a package for ups monitoring and using a couple of vlans on the switch. Seems like most folks that have issues also have weird configs like pppoe, things like that. -
What is your " Local Network " in phase 2 config
also , if you want to be precise, what's your "leftsubnet" in ipsec.confplease show your route table and interfaces of your IKE connected client
also on your pfsense shell, dump your policy-based routing with setkey -DP -
Local/left is 10.0.95.0/29 (my corp lan subenet).
output below, public ip's protected:
10.0.95.0/29[any] 10.0.95.0/29[any] any
in none
created: Jun 16 22:06:43 2020 lastused: Jun 19 22:26:18 2020
lifetime: 2147483647(s) validtime: 0(s)
spid=2 seq=3 pid=70974 scope=global
refcnt=1
0.0.0.0/0[any] 10.0.95.0/29[any] any
in ipsec
esp/tunnel/remotepublic-localpublic/unique:1
created: Jun 19 16:56:38 2020 lastused: Jun 19 22:38:50 2020
lifetime: 2147483647(s) validtime: 0(s)
spid=41 seq=2 pid=70974 scope=global
refcnt=44
10.0.95.0/29[any] 10.0.95.0/29[any] any
out none
created: Jun 16 22:06:43 2020 lastused: Jun 19 22:26:18 2020
lifetime: 2147483647(s) validtime: 0(s)
spid=1 seq=1 pid=70974 scope=global
refcnt=1
10.0.95.0/29[any] 0.0.0.0/0[any] any
out ipsec
esp/tunnel/mypublic-remotepublic/unique:1
created: Jun 19 16:56:38 2020 lastused: Jun 19 22:38:50 2020
lifetime: 2147483647(s) validtime: 0(s)
spid=42 seq=0 pid=70974 scope=global
refcnt=44Also, I spun up a vm of the latest 2.5 version and don't see the bypass all locals option proposed in this: https://redmine.pfsense.org/issues/3329
-
Also, I know strong swan well enough to put in another bypass, but how to keep pfsense from overwriting it is beyond me. Making ipsec.conf read only wont do it and "chattr" doesn't seem to be a command in the shell.
-
I don't see default routes like /0 networks in my IPSec policy.
Did you set it up for mobile clients or site-to-site?
manual config of IPSec.conf won't cut it. I think the entire ipsec directory is generated on demand.
Can you should your full ipsec.conf