Articles in this section

See more

IPsec: Bind tunnel to a specific interface

Rey Lamuri
  • Updated
Follow

When IPSEC starts it will bind to interface with lowest metric default gateway. When there are multiple default gateway it's useful to bind to a specific interface regardless of metric.

The example below allows IPSEC to bind and initiate connection from the cellular interface.

Note firmware 4.11 or newer follow steps below:

In the "System > IP > Route Settings" page add a new route.

Destination Network: <this field is your IPSEC server address>
Destination netmask: 32
Route Gateway: <leave blank>
Interface: Internal Cellular Modem

In the "Serial & Network > IPSEC VPN"  page Edit the tunnel and add the following Custom Tunnel Option

Option Name: left
Argument: %wwan0

If you are running firmware 4.11.0 or greater, you can use the below configurator to update the desired interface for use in /etc/config/ipsec.conf.

config -s config.ipsec.interfaces="ipsec0=wwan0" -r ipsec

If you have multiple tunnels configured, you can update the desired interfaces per tunnel using a space separated list,

config -s config.ipsec.interfaces="ipsec0=wwan0 ipsec1=eth0" -r ipsec

 

Note firmware 4.10 or older follow steps below:

In the "System > IP > Route Settings" page add a new route.

Destination Network: <this field is your IPSEC server address>
Destination netmask: 32
Route Gateway: <leave blank>
Interface: Internal Cellular Modem

In the "Serial & Network > IPSEC VPN"  page Edit the tunnel and add the following Custom Tunnel Option

Option Name: left
Argument: %wwan0

You will need to login as root on the CLI and edit /etc/config/ipsec.conf. Make sure to add the quotes.

Replace the line

interfaces=%defaultroute

with this

interfaces="ipsec0=wwan0"

sed can be used to update the default ipsec.conf file using the below command

sed -i 's/%defaultroute/"ipsec0=wwan0"/g' /etc/config/ipsec.conf

 

 

The cellular modem connection process dynamically assigns wwan0 or wwan1 interface name. Follow the steps below to always assign wwan0 as the cellular interface.

We can block wwan1 interface and only allow wwan0 interface for cellular. Create the file /etc/config/udev/rules.d/79-blacklist-wwan1.rules with these contents.

# If the modem has both wwan0 and wwan1, ModemManager may assign the IP
# address to wwan1. Set this property to blacklist wwan1 so that the IP
# is always assigned to wwan0 instead.
ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wwan", KERNEL=="wwan1", \
ENV{ID_MM_PORT_IGNORE}:="1"

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk