Bug #1560
closed
IPsec GUI needs to reject duplicate subnets in phase 2s for a given phase 1.
Added by Jim Pingle almost 13 years ago.
Updated almost 13 years ago.
Affected Architecture:
All
Description
Currently, the GUI lets you specify the same source/destination subnet more than once in the list of phase 2 definitions. This includes listing the same subnet twice in a set of mobile phase 2s. This results in an invalid racoon configuration.
With a site-to-site phase 1, it doesn't appear to prevent racoon from starting but does log an error. With a mobile phase 1 it prevents racoon from starting.
Easy to reproduce by enabling mobile clients, setting up phase 1, and adding the same phase 2 in twice.
Error from the IPsec log:
racoon: ERROR: /var/etc/racoon.conf:106: "}" duplicated sainfo: loc='192.168.16.0/24', rmt='ANONYMOUS', peer='ANY', id=1
Looks like mgrooms knew this would be a problem when the new IPsec code went in:
Line 144 of usr/local/www/vpn_ipsec_phase2.php:
/* TODO : Validate enabled phase2's are not duplicates */
Turns out that if racoon is already running, it will keep running when reloaded with this config, but the tunnel in question doesn't work. If racoon is stopped, it will not start with this config.
- Status changed from New to Feedback
- Status changed from Feedback to New
- % Done changed from 0 to 70
Still at least one case that needs checking:
It still allows you to overlap if you use the "[Interface Name] subnet" drop-down choice and also manually entering the same subnet. So if you have 192.168.16.x for LAN, and you make one p2 with "LAN Subnet" chosen and one with "192.168.16.0/24", it's allowed.
Also if the IP on the subnet isn't the proper subnet boundary it's also allowed. Not sure how racoon likes that anyhow. (192.168.16.0/24 and 192.168.16.5/24 are passed through the GUI checks).
The other cases appear to reject properly now though, where the same choices are used or identical IPs are entered.
Is 192.168.16.5/24 input considered valid? It's easier to error on this in gui...
- Status changed from New to Resolved
Tested a few different scenarios and this seems to be solved all the way around. Thanks!
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Ermal Luçi