IPsec lock to VLAN?



  • Hello

    Is it possible to lock IPsec to a VLAN? I want to lock the clients connecting from IPsec VPN to not to have contact with my LAN clients how is this possible?

    Thanks



  • Just thinking say your lan is on vlan 50 and your guest vlan is on vlan 60. You will likely have different address spaces for these vlans say 10.50.0.0/16 for vlan50 and say 10.60.0.0/16 for vlan 60. Then in your phase 2 settings of IPSec you could simply just set the network up as 10.60.0.0/16. This way IPSec will have access to vlan60 but not vlan50.

    Just a thought.


  • Netgate

    Also, all connections from IPsec clients have to pass through the firewall rules on the IPsec tab.  Those can be restrictive, even with a much broader phase 2 entry.

    I have a phase 2 entry to work for my whole home /24, but the only things I allow through the rules on my IPsec tab are connections to my printer and IP phone.  I can make connections to anything but they can only connect to those IP addresses/ports.



  • Ok

    Seems like 2 good solutions.

    Thanks for your help