Hi All
I have to configure an IPSec link to a client, which I’ve never done before, and now that I’m used to setting allowed addresses in WireGuard I’m wondering if there is something similar I can do for IPSec?
I have various devices scattered over various ranges I’d like to give them access to but block everything else.
Any ideas?
Thanks,
R
The traffic selectors in bare IPsec work similar to Wireguard’s allowed-address list, but as you mention various ranges, be aware that the number of policies may be overwhelmlingly high, as you may need one policy for each (local subnet,remote subnet) tuple depending on how the remote peer has configured it. Using 0.0.0.0/0 ↔ 0.0.0.0/0 is rarely a solution because bare IPsec traffic selectors supersede the results of the “normal” routing, so if you use this traffic selector to choose traffic for the tunnel policy, you need other policies to exempt your local traffic from being intercepted by this one.
So depending on how much of the design will be your own decision and how much you have to accommodate to, it may be best to use a “something-over-IPsec” tunnel with “normal” routing and firewall rules, or it may be best to use bare IPsec.
Howsit sindy
Well it seems I’m stuck with IPSec so will have to figure it out.
So if I’m understanding you correctly, I can specify multiple Policies for the same Peer in order to indicate multiple IP’s/ranges, correct?
Is there a way they could “masquerade” the link to gain access to anything beyond what I specify under Policies? I see IPSec does not create an “interface” so it makes it tricky (in my mind at least) to try and button things up via the firewall.
PS. I’m the initiator
Thanks,
R
That was clear, what is still not clear is how much of the IPsec setup has already been cast in concrete and how much of it you can set up as you want.
Almost - not multiple subnets but multiple combinations of local and remote subnet. So if you have subnets A and B on the local end and subnets 1,2,3 on the remote end, you need individual policies for A1, A2, A3, B1, B2, B3 combinations.
You can normally use masquerade/srcnat at the application client side, but it is much more complicated at application server side (you need port forwarding in such case). The traffic selection is done after all the firewall processing, including src-nat, has been done. So if you src-nat the whole client site to a single address, you can only use as many policies as you have subnets on the server site (application-wise client may not be the IPsec-wise initiator).
From the firewall point of view, you just have to refer to IP addresses and not to interface names. Other implications of not having a virtual interface are much worse 
I’ve suggested to the provider to maybe look into something a little simpler, like L2TP/IPSec, as this seems to be their first time implementing IPSec and I don’t reckon it’s going to work well for them in the long run anyway.
From my side I still need to limit their access to a few random IPs over a few subnets though, which I don’t quit know how to do yet. Address lists can only take a single IP or a set range within a subnet and I can’t see a way to use multiple address lists in a firewall rule.
Any suggestions on how to accomplish this?
Thanks,
R
The very idea of an access list is that it consists of multiple items. So add multiple items with same list value and different address items.
Geez, seems so obvious now, never knew you could add multiple lines with same name.
Thanks sindy