Project

General

Profile

Issue #3467

When ipsec tunnel configured with subnet %any %any for both side, could we access local service from lan side?

Added by richard qian 4 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
network / firewall
Affected version:
5.8.4
Resolution:

Description

For example: PC -> [Router A] <--ipsec tunnel --> [Router B]
Router A and Router B WAN side build ipsec tunnel connetion with subnet any any.
Could we access Router A's local server from PC on its LAN side ?

History

#1 Updated by richard qian 4 months ago

I think if strongswan works on PC there would be no such problem.
But when it comes to router, it needs to determine which packet should be routed to ipsec tunnel and which should be sent to local service, right ?
I would like to know, should we implement that myself, or I am misuse the strongswan.
My case is the PC could not access Router's local service when configed with any any.
Thanks.

#2 Updated by Tobias Brunner 4 months ago

  • Status changed from New to Feedback
  • Assignee deleted (Andreas Steffen)

Using 0.0.0.0/0 on both sides only works if you e.g. use marks (so only selected traffic is tunneled), or route based VPN (similar effect as marks but via routing), or you install bypass policies for traffic that should not be affected. So you have to decide why you are using such a traffic selector and what the best approach is for that scenario.

#3 Updated by richard qian 4 months ago

Tobias Brunner wrote:

Using 0.0.0.0/0 on both sides only works if you e.g. use marks (so only selected traffic is tunneled), or route based VPN (similar effect as marks but via routing), or you install bypass policies for traffic that should not be affected. So you have to decide why you are using such a traffic selector and what the best approach is for that scenario.

Hi Tobias,

I use same configuration with kernel 3.10 it would work like what you said.
However, when I use kernel 2..16.24, it doesn't redirect the packet from lan side to tunnel. so is this a bug? And from the kernel implementation, I trace the icmp packet, found that xfrm does not check the packet with the ipsec acl rules.
Thanks.

#4 Updated by Tobias Brunner 4 months ago

However, when I use kernel 2..16.24, it doesn't redirect the packet from lan side to tunnel.

I guess you mean 2.6.24, but I'm sure you are joking, because that kernel is way too old to be used for anything at all. If you are referring to marks, then those are only supported since 2.6.34.

#5 Updated by richard qian 4 months ago

Tobias Brunner wrote:

However, when I use kernel 2..16.24, it doesn't redirect the packet from lan side to tunnel.

I guess you mean 2.6.24, but I'm sure you are joking, because that kernel is way too old to be used for anything at all. If you are referring to marks, then those are only supported since 2.6.34.

Thanks, I heard from my colleague, that he just replace the freeswan with strongswan, and the still use klips for kernel.

Also available in: Atom PDF