Project

General

Profile

Actions
Copy link

Bug #2984

closed

IPSec adds route but isn't needed any more

Added by Grischa Zengel almost 11 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
2.2
Start date:
05/07/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

Since route-to and reply-to rules are added, no routing entries are needed any more.

  1. This code worked only with dhcp interfaces, because interface_has_gateway is false on static ips.
  2. The removing code worked only on interface wan.
  3. I have tested this on different interfaces (wan,opt1,dhcp, static ip) with different default gateways.

This code should be obsolet in vpn.inc:

                                /* static route needed? */
                                if (is_ipaddr($ph1ent['interface'])) {
                                        $vip = find_virtual_ip_alias($ph1ent['interface']);
                                        if (preg_match("/^carp|^[a-z0-9]+_vip/i", $vip['interface']))
                                                $parentinterface = link_carp_interface_to_parent($vip['interface']);
                                        else
                                                $parentinterface = $vip['interface'];
                                } else if (preg_match("/^carp|^[a-z0-9]+_vip/i", $ph1ent['interface']))
                                        $parentinterface = link_carp_interface_to_parent($ph1ent['interface']);
                                else
                                        $parentinterface = $ph1ent['interface'];

                                if (is_ipaddr($rgip)) {
                                        /* add endpoint routes to correct gateway on interface */
                                        if (interface_has_gateway($parentinterface)) {
                                                $gatewayip = get_interface_gateway("$parentinterface");
                                                $interfaceip = get_interface_ip($parentinterface);
                                                $subnet_bits = get_interface_subnet($parentinterface);
                                                $subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}");
                                                /* if the remote gateway is in the local subnet, then don't add a route */
                                                if (! ip_in_subnet($rgip, "{$subnet_ip}/{$subnet_bits}")) {
                                                        if(is_ipaddr($gatewayip)) {
                                                                /* FIXME: does adding route-to and reply-to on the in/outbound
                                                                 * rules fix this? smos@ 13-01-2009 */
                                                                // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
                                                                mwexec("/sbin/route change -host {$rgip} {$gatewayip}", true);
                                                        }
                                                }
                                        }
                                }

This means no routes have to delete in vpn_ipsec_phase1.php. This code could be removed, too:

                if ($pconfig['interface'] <> "wan") {
                        if($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
                                mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
                        }
                }

Perhaps you can remove /sbin/route from pfSense_BUILDER_BINARIES in vpn.inc.

Actions
Copy link

Also available in: Atom PDF