Project

General

Profile

Actions

Bug #11832

closed

``ipsec_vti()`` does not skip disabled VTI entries

Added by Viktor Gurov 6 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
04/21/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:

Description

https://github.com/pfsense/pfsense/blob/3af1961155caafb890cfb635d7278e1498ae7423/src/etc/inc/ipsec.inc#L959:

            if (!$skipdisabled && isset($ph2ent['disabled'])) {
                continue;

- is incorrect, sould be:
            if ($skipdisabled && isset($ph2ent['disabled'])) {
                continue;

Because of this, `interface_ipsec_vti_configure()` tries to configure disabled VTI interfaces
and `upgrade_208_to_209()` could work incorrectly for IKEv1/SplitConnectionIKEv2 VTIs:
https://github.com/pfsense/pfsense/blob/3af1961155caafb890cfb635d7278e1498ae7423/src/etc/inc/upgrade_config.inc#L6248:

    foreach ($config['ipsec']['phase1'] as $ph1ent) {
        if (!isset($ph1ent['mobile']) &&
            ($ph1ent['iketype'] == 'ikev1' ||
            isset($ph1ent['splitconn']))) {
            $vtisubnet_spec = ipsec_vti($ph1ent, true, false);
            if (empty($vtisubnet_spec)) {
                continue;
            }

Actions

Also available in: Atom PDF