Project

General

Profile

Actions

Bug #15147

closed

Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families

Added by Lars Wolos 12 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

If in Phase 1, Internet Protocol "Both (Dual Stack)" is selected, then under Remote Gateway the explanation in the blue info icon ("More information") has an issue leaving the user somewhat clueless whether to put '0.0.0.0' or '::', if the aim is to allow connections BOTH from any IPv4 address AND connections from any IPv6 address. Please add some clarification to the text in this regard.

I suggest the following addition to the info box (only if this is correct - please confirm):

If Internet Protocol is set to 'Both (Dual Stack)‘, using either '0.0.0.0' or '::' will allow connections both from any IPv4 and from any IPv6.

Actions #1

Updated by Jim Pingle 12 months ago

  • Tracker changed from Bug to Todo
  • Subject changed from Add Dual Stack explanation to IPSec Phase 1 Remote Gateway info box to Add Dual Stack explanation to IPsec Phase 1 Remote Gateway info box
  • Target version set to 2.8.0
  • Plus Target Version set to 24.03
  • Affected Version deleted (All)
Actions #2

Updated by Kris Phillips 11 months ago

Can confirm that this is very confusing. It might be better to add a "Allow from Any Source" checkbox that just applies this instead. We could then hide this option for VTI connections and use form validation to always make 0.0.0.0 or :: invalid entries. Just my thoughts.

Actions #3

Updated by Jim Pingle 10 months ago

  • Tracker changed from Todo to Bug
  • Subject changed from Add Dual Stack explanation to IPsec Phase 1 Remote Gateway info box to Cannot configure dual stack IPsec tunnel to accept connections from any remote address on both address families
  • Status changed from New to In Progress
  • Assignee set to Jim Pingle

The suggested note addition isn't accurate, only tunnels of the same address family as the remote gateway are allowed to connect with the current code. It's easy to work around without adding another checkbox, though.

Changing this to a bug since at the moment it's impossible to configure this and it should be working.

Actions #4

Updated by Jim Pingle 10 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Alhusein Zawi 9 months ago

  • Status changed from Feedback to Closed

note was added

24.03.b.20240322.1708

Actions

Also available in: Atom PDF