How can I exclude one IP from a phase 2 entry



  • Hi,

    I have a really annoying problem that I am trying to resolve.  Assume the following subnets.

    Site A Internal: 10.10.0.0/16
    Site B Internal: 10.50.0.0/16
    Site B DMZ: x.y.z.0/24  ( Where this is a valid public subnet).

    I have an ipsec vpn setup.  The first phase 2 entry  allows 10.10.0.0/16 and 10.50.0.0/15 to talk.  This works perfect.
    I then made a second phase 2,  to allow 10.10.0.0/16 and x.y.z.0/24 to communicate using the tunnel.  This worked ok too.

    The problem I'm having is that i have a handful of IP's spread out randomly on site B DMZ that I need to exclude from the tunnel.

    My current method of doing this is to split the phase 2 into 10 different entries, so that I work around the ips.  This is very painful to manage, and if a new ip gets added, then I need to break the vpn again while i rework the phase 2 entries.  Is there a better solution for this?

    I can upgrade to 2.1 if that resolves this.



  • Any reason you can't tunnel the whole subnet and control access via firewall rules?



  • @dotdash:

    Any reason you can't tunnel the whole subnet and control access via firewall rules?

    This is what I recently did when I was having Active Directory replication issues and wanted to make sure the it didn't magically start working on the broken systems while I was building new boxes.



  • If I block the ip with a fw rule, then it will be blocked.  I need the ip to connect to the remote side, but just not over the vpn.



  • @artimus:

    If I block the ip with a fw rule, then it will be blocked.  I need the ip to connect to the remote side, but just not over the vpn.

    The traffic will only be blocked on the VPN interface. If the traffic was passing in over the WAN or another interface, you could pass the traffic. If it's a routing issue, that could be complicated as a tunnel will trump a local route, but that would be an unusual situation.