Hi - regarding the following post:
The thread mentions that IPSec interfaces are associated with the WAN zone by default. This seems a bit too permissive when writing firewall rules as you end up including the internet facing interfaces in the rule.
Would it be best practice to create a new ‘vpn’ zone and add the IPSec tunnel interfaces to that zone? When I’ve tried this the interfaces do not appear for selection.
Thanks, G.
Hello,
With the “Route based IPsec” flag enabled the tunnel will be build using a separate interface and will have its own firewall zone.
Regards,
Hi all, thanks for the replies, in our case we could see two zones but neither seemed to be associated with an interface. Traffic wasn’t being forwarded from the IPSec tunnels to the LAN zone, until we changed the source to be Any Zone. Is there any way to check that an IPSec tunnel interface is associated with a particular zone?
Thanks, G.
Yes, edit the IPsec zone, check the “Covered networks” list. Set it to the name of the interface.
I did try that however the IPSec interfaces do not appear for selection in covered networks unfortunately.
Restart the network layer after enabling the “Route based IPsec” flag:
/etc/init.d/network restart
Hi, just to confirm we already had route based ipsec enabled, see screenshot below showing the IPSec config and the zone config for one of the tunnel’s zones.
Strange. “Covered networks” should contain the name of the IPSEC interface.
Do you have a declaration similar to:
config interface 'the-name-of-the-ipsec-interface'
option tunlink 'loopback'
option proto 'xfrm'
option ifid '3'
in /etc/config/networks ?
No there’s no interface entry for either tunnel in /etc/config/networks, should I create them using the format you mentioned?
It would be simpler if you could delete the IPSEC config and recreate it with “Route based IPSEC” enabled everything should fall in place directly.