Project

General

Profile

Actions

Bug #12723

closed

Disallow remote gateway of ``0.0.0.0`` for VTI mode

Added by Chris Linstruth 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Since 0.0.0.0 is not compatible with building the correct VTI FreeBSD interface, disallow its use as a remote tunnel endpoint/gateway on a VTI Phase 1.


Related issues

Related to Bug #10638: ipsec VTI interface not setting tunnel parameters when phase1 Remote Gateway is 0.0.0.0Not a Bug06/05/2020

Actions
Actions #1

Updated by Jim Pingle 4 months ago

  • Target version set to 2.7.0
  • Plus Target Version set to 22.05

Because the remote gateway is a P1 setting but VTI is a P2 setting this needs to be checked in multiple places:

  • When saving a P1: If any of the child P2s are set to VTI, generate an input error if the user attempts to set the remote gateway to 0.0.0.0
  • When saving a P2: If the P2 is set to VTI and the remote gateway is 0.0.0.0, generate an input error

Also update the note under Remote Gateway with some guidance here, even if it's just a simple "A remote gateway of 0.0.0.0 is not compatible with VTI, use an FQDN instead" or something along those lines.

Actions #2

Updated by Jim Pingle 4 months ago

  • Related to Bug #10638: ipsec VTI interface not setting tunnel parameters when phase1 Remote Gateway is 0.0.0.0 added
Actions #4

Updated by Jim Pingle 4 months ago

  • Status changed from New to Pull Request Review
Actions #5

Updated by Viktor Gurov 3 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #6

Updated by Alhusein Zawi 3 months ago

  • Status changed from Feedback to Resolved

it is not allowed to add 0.0.0.0 as remote GW if there is a VTI as P2 and it is not allowed to add VTI if the remote GW is 0.0.0.0 in P1
"A remote gateway address of "0.0.0.0" or "::" is not compatible with a child Phase 2 in VTI mode.

2.7.0.a.20220218.0600

Actions #7

Updated by Jim Pingle about 2 months ago

  • Subject changed from Disallow 0.0.0.0 as a VTI remote gateway to Disallow remote gateway of ``0.0.0.0`` for VTI mode

Updating subject for release notes.

Actions

Also available in: Atom PDF