Hi there,
Im creating a tunnel with IPSEC( connection is established and it works ) , but I don’t know how to work with it. My last VPN/tunnels were interface based, and it was quite simple create routes, addresses and firewall filters.
How can create routes for this tunnel?
How can decide who is allowed to access ?
Thanks you!
It can be slightly confusing at first. You define IPSec policy where you specify local and remote subnet. Router then automatically takes matching outgoing packets and encrypts them. It also takes incoming encrypted packets, decrypts them and checks if they match any existing policy before it lets them go further. There are no routes (*1), it’s another layer.
There are more possibly confusing aspects. Incoming packets from remote subnet seem to be coming in via WAN interface, same as any other packet from internet. Same for outgoing packets. You can tell them apart using ipsec-policy firewall option.
Another problem is with routes. They are actually used (*1), but not exactly as expected. There must be route to remote subnet, otherwise router will refuse the packet, because it will think that it doesn’t have route for it. Normally it’s always there in the form of default route to 0.0.0.0/0. But this route is not actually used, because original outgoing packet to remote subnet is snatched away by IPSec and encrypted. Resulting ESP packet is different one, from address of local router to address of remote router, and this one is routed as usual. You’ll encounter this e.g. if you decide to block routes to private subnets using unreachable routes to 10.0.0.0/8, etc. This would block access to remote 10.1.2.0/24, so you would need to add route to it, but it doesn’t matter at all to where it points to.
If you want to do some filtering for outgoing or incoming traffic, it’s like filtering any other traffic coming through router. Only default firewall has rules to allow all outgoing and incoming tunnelled traffic, so you need to get rid of that first.
Thanks you so much
You were so helpful!!