User manual
19: Configuring IPSec
_______________________________________________________________________________________________________
option 'dpddelay' "30s"
option 'dpdtimeout' "120s"
19.3 Shunt connection
If the remote LAN network is 0.0.0.0/0 then all traffic generated on the local LAN
will be sent via the IPSec tunnel. This includes the traffic destined to the router’s
IP address. To avoid this situation you must include an additional config
connection section.
strongswan.@connection[1]=connection
strongswan.@connection[1].name=local
strongswan.@connection[1].enabled=yes
strongswan.@connection[1].locallan=10.1.1.1
strongswan.@connection[1].locallanmask=255.255.255.255
strongswan.@connection[1].remotelan=10.1.1.0
strongswan.@connection[1].remotelanmask=255.255.255.0
strongswan.@connection[1].type=pass
strongswan.@connection[1].auto=route
config connection
option name 'local'
option enabled 'yes'
option locallan '10.1.1.1'
option locallanmask '255.255.255.255'
option remotelan '10.1.1.0'
option remotelanmask '255.255.255.0'
option type 'pass'
option auto 'route'
Traffic originated on remotelan and destined to locallan address is excluded from
VPN IPSec policy.
19.4 Secret settings
Each tunnel also requires settings for how the local end point of the tunnel
proves its identity to the remote end point.
_______________________________________________________________________________________________________
© Virtual Access 2015
GW1000 Series User Manual
Issue: 2.4 Page 126 of 255