Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Encrypt specific protocols only

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gernupe
      last edited by

      (First of all, sorry of the bad english.)

      Hi everybody, i've been fighting a tricky vpn conection for the last few day, which has some specifc requirements, the only one still kicking is the need to encrypt certain protocols only (GRE in this case).

      Acording to swtrongswan wiki, this could be achived in one of two ways: left|rightprotoport (which is being deprecated) or appending them after left|rightsubnet parameter.

      I kinda fixed it by adding "leftprotoport = gre" and "rightprotoport = gre" in the vpn.inc file, but this setup will add this parameter to all defined vpn. At the moment thas not an issue cause its the only one i have, but it will be a problem in the near future.

      In my very limited programing skills, been trying to get the left|rightsubnet option working. Manage to disable NAT and remote network validation in order to pass the [gre] value into the field, but the subnet mask keeps getting at the end of the line in the ipsec.conf (leftsubnet = 10.10.10.10[gre]/24) and i'm not getting where in the code it is.

      If some of the code gurus could lend me a hand on removing the subnet bits i'll be forever grateful (i guess this will work, just need to add them to the nat and remote network fields).

      Saludos desde Uruguay!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We don't have a way to set that currently. But if the remote end is a Cisco they can usually set their protocol selector to 0 to let it work.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          Gernupe
          last edited by

          The remote end is in fact a Cisco device, but it belongs to a bank and they tend to enforce their policies pretty hard.

          Anyway the best approach will be add a few more fields to the phase2 gui page and attach their content to rightsubnet and leftsubnet parameters in the ipsec.conf file.

          Should i enter a feature request for that or is this to specific to be even considered?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You can make a feature request for it. It is something we've talked about (specifically for GRE if not others) but there wouldn't be an ETA for that, maybe even after 2.3 unless someone does the work and submits it as a pull request.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              Gernupe
              last edited by

              I end up doing it myself.

              Read a little of php, touching here and there on a test enviroment and voila.

              Being testing a few protocols and ports and seems to be ok.

              No idea how to make a pull request, but i've left the modified files attached to this post just in case someone needs them.

              ipsec_status.JPG
              ipsec_status.JPG_thumb
              vpn_ph2.JPG
              vpn_ph2.JPG_thumb
              protoport.zip

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.