Routing and Ipsec

This Howto provides information on extra routes in IPsec VPN (Dynamic VPN).

The Problem: No Foreign Routes Allowed

The IPsec VPN is strict about what network traffic is allowed to flow through a the VPN tunnel. Consider this scenario:

  • Headquarters with 2 LAN segments: and
  • Remote office with 1 LAN segment:

The Dynamic VPN system will automatically connect the first LANs between the two systems. When the tunnel is established, systems on and are connected. However, systems from the headquarters' second LAN - - will not be connected to

You may be tempted to add a static route to force traffic down the IPsec VPN tunnel. However, the IPsec policy engine will not allow this traffic to pass and the traffic is quietly dropped.


The Dynamic VPN settings on the headquarters system can be tweaked to include both LANs. This can be done by adding/editing the LANNET parameter in /etc/firewall (version 5.x) or /etc/clearos/firewall.conf (version 6), or /etc/clearos/dynamic_vpn.conf for ClearOS Version 7.x.


The /23 means that both 192.168.0.x and 192.168.1.x are included in the IPsec routing policy.

After making this configuration change, restart the Dynamic VPN software on both ends of the connection. search?q=clearos%2C%20clearos%20content%2C%20kb%2C%20howtos%2C%20maintainer_dloper%2C%20maintainerreview_x%2C%20keywordfix&btnI=lucky

content/en_us/kb_o_routing_and_ipsec.txt · Last modified: 2016/11/01 17:57 by dloper