Why does source = IPsec net not work in my case?

Started by Evert, February 28, 2024, 10:23:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 28, 2024, 10:23:23 AM
Hi all,

I've been configuring an IPsec connection between us, and one of our customers. IPsec itself was working pretty soon (both phase 1 & phase 2), but we had the hardest time pushing bits and bytes through that tunnel...

After trying many things I ended up going to Firewall: Rules: IPsec and changing the source of the rules, which was set to 'IPsec net', to '*'. As soon as I did this, the customer was able to connect to the resources.

We have various other subnets, including 2 Wireguard, where I've set the source to '[subnet name] net' in firewall rules, and this works flawlessly.

Why doesn't this work for our IPsec setup? Did I misconfigure something somewhere, or is this a bug... ahem... feature?  8)
--
Regards,
   Evert
February 28, 2024, 10:59:05 AM #1
"IPsec net" is the network directly connected to the tunnel interface, not the remote networks of your customer.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 28, 2024, 12:05:07 PM #2
Ah, ok.

What if I replace '*' with an alias containing the networks of our customer? Would that be a functioning compromise?
--
Regards,
   Evert
February 28, 2024, 12:40:57 PM #3
Yes, most probably.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 05, 2024, 08:48:24 AM #4
Before I make the same mistake twice... It would work with Wireguard, right? That's different in this aspect from IPsec?
--
Regards,
   Evert
Print
Go Up Pages1
User actions