A LAN-to-LAN IPsec tunnel on a DAL router can also be used to manage the router itself using the LAN interface IP address. If no device is connected to the LAN interface anyway, this might work or not, depending on how is configured the Local Network on the IPsec tunnel Policy:
If the Network is set as LAN in the IPsec Policy (Policy > Local Network > Network + LAN):
With the above setting, by default, If the LAN is disconnected, it doesn't detect an active interface and IP/mask to use and the tunnel will NOT be negotiated.
This configuration is useful when the tunnel is used mainly to reach devices connected to the LAN interface, as, in case there is nothng connected, this will avoid flooding the other peer with no-needed negotiation attempts.
If instead it is needed to have the tunnel always UP regardless the actual LAN status, this can be done with the following methods:
1. Leaving the policy as above and Using "Force Link" option (Starting from Firmware 23.9.20.63):
2. Configuring the local policy as Custom Network, specifying the LAN subnet and adding a Loopback interface:
In this case, the tunnel will be UP even if the LAN is disconnected. However, this is not enough to have the router reachable via the tunnel on its LAN IP, because the LAN interface is down (so no active) and no replying to ping or other traffic.
So, this can be obtained by creating a Loopback interface associated to the LAN interface with same address but with mask /32 , a higher metric (i.e lower priority), so it will be active for management purpose via the tunnel only if the real LAN interface will be down/disconnected.
Example on how to configure the loopback interface and the LAN for this scope:
In the above example the real LAN subnet is 192.168.2.1/24 and the loopback interface 192.168.2.1/32.
So what will happen is:
- When the LAN is connected, the LAN IP and the LAN devices will be reachable via the tunnel
- When the LAN is disconnected, the router will be still reachable via the tunnel, as, with the LAN being down, the Loopback interface, with the same IP/32, will become active and reachable via the tunnel.
This configuration can be very useful when the router needs to be managed via the IPSec Tunnel but doesn't always have something connected to the LAN interface.
Last updated:
Aug 21, 2024