Project

General

Profile

Actions

Bug #12328

closed

IPsec VTI interface remote endpoint is not resolved the correct way

Added by Jim Pingle over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

In interface_ipsec_vti_configure(), the remote end of an IPsec VTI interface is not resolved the correct way (e.g. The b.b.b.b part of ifconfig ipsecN tunnel a.a.a.a b.b.b.b).

The remote-gateway value of the IPsec P1 is passed directly to ifconfig which is fine for IP addresses but not with hostnames. Elsewhere in the IPsec code, ipsec_get_phase1_dst() is used which runs hostnames through resolve_retry() which is better than leaving it up to the OS resolver.

This could also be affecting the speed at which VTI interfaces are created or changed (e.g. NG 6586 or NG 6758).

To me, I'm working on a fix.


Related issues

Related to Bug #12335: IPsec DNS inefficiencyNew

Actions
Actions

Also available in: Atom PDF