How to access a DAL router on LAN IP via an IPsec tunnel if the LAN is down

A LAN-to-LAN IPsec tunnel on a DAL router can also be used to manage the router itself using the LAN interface IP address. If no device is connected to the LAN interface anyway, this  might work or not, depending on how is configured the Local Network on the IPsec tunnel Policy:

1) Policy > Local Network > Network + LAN

If the LAN is disconnected, it doesn't detect an active interface and IP/mask to use and the tunnel will NOT be negotiated.
This configuration is useful when the tunnel is used mainly to reach devices connected to the LAN interface, as, in case there is nothng connected, this will avoid flooding the other peer with no-needed negotiation attempts.

2)  Policy > Local Network > Custom Network + LAN subnet

If instead it is needed to have the tunnel always UP regardless the LAN status, this can be done by configuring the local policy as Custom Network, specifying the LAN subnet:


In this case, the tunnel will be UP even if the LAN is disconnected. However, this is not enough to have the router reachable via the tunnel on its LAN IP, because the LAN interface is down (so no active) and  no replying to ping or other traffic.

A way to obtain this is to create a Loopback interface associated to the LAN interface with same address but with mask /32 , a higher metric (i.e lower priority), so it will be active for management purpose via the tunnel only if the real LAN interface will be down/disconnected. 

Example on how to configure the loopback interface and the LAN for this scope:


In the above example the real LAN subnet is and  the loopback interface

So what will happen is:

- When the LAN is connected, the LAN IP and the LAN devices will be reachable via the tunnel
- When the LAN is disconnected, the router will be still reachable via the tunnel, as, with the LAN being down, the Loopback interface, with the same IP/32, will become active and reachable via the tunnel.

This configuration can be very useful when the router needs to be managed via the IPSec Tunnel but doesn't always have something connected to the LAN interface.
Last updated: Sep 21, 2020

Recently Viewed

No recently viewed articles

Did you find this article helpful?