Project

General

Profile

Actions

Feature #12397

closed

Distinguish between policy-based and route-based entries on IPsec status SPD tab

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

The IPsec Status SPD tab at status_ipsec_spd.php prints information from the security policy database and it currently does not distinguish between policy-based entries (tunnel mode) and route-based entries (VTI mode) which can make it confusing for users as some entries appear to conflict when they actually do not.

This output is from a tunnel mode entry:

10.14.1.0/24[any] 10.8.0.0/24[any] any
        out ipsec
        esp/tunnel/198.51.100.14-198.51.100.8/unique:16
        created: Sep 22 08:33:50 2021  lastused: Sep 22 08:33:50 2021
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=156 seq=33 pid=38035 scope=global
        refcnt=1

Note the scope=global

This is an entry from a VTI mode tunnel:

0.0.0.0/0[any] 0.0.0.0/0[any] any
        out ipsec
        esp/tunnel/198.51.100.14-198.51.100.21/unique:5029
        spid=138 seq=3 pid=38035 scope=ifnet ifname=ipsec29
        refcnt=1

Note it has scope=ifnet and also lists the specific VTI interface (ipsec29)

Additionally, at some point the output of the command changed and the reqid is not being properly parsed. This output is from ipsec_dump_spd(), note that reqid should just be the number:

  [69]=>
  array(7) {
    ["srcid"]=>
    string(4) "::/0" 
    ["dstid"]=>
    string(4) "::/0" 
    ["dir"]=>
    string(3) "out" 
    ["proto"]=>
    string(3) "esp" 
    ["src"]=>
    string(13) "198.51.100.14" 
    ["dst"]=>
    string(13) "198.51.100.21" 
    ["reqid"]=>
    string(10) "nique:5029" 
  }

The reqid string is not currently used so it's not a bug yet, but needs fixed since we should display that on the page.

What should happen is:

  • Fix reqid parsing in ipsec_dump_spd()
  • ipsec_dump_spd() should parse and include data for scope and (if present), ifname
  • status_ipsec_spd.php should include columns for reqid and scope as the first two columns. If scope is ifnet, it should display the ifname instead of ifnet.
  • Ideally the output should sort by reqid so that in/out entries for tunnels are grouped.
  • Consider changing the order of "Tunnel Endpoints" and their arrow to match the "Direction" column as it seems confusing to have the arrows pointing different directions on inbound entries
  • Bonus points for displaying P2 descr and linking to P2 edit but that may clutter the page
Actions

Also available in: Atom PDF