Added by Chris Buechler about 13 years ago. Updated almost 12 years ago.
0%
Description
If the local subnet of an IPsec network is an IP alias, the "start" button under Status>IPsec doesn't show up. That's normal where it isn't really a direct attached network, but should add consideration for IP alias subnets that are assigned.
Files
| config-pfSense.localdomain-20120331043309.xml (18.5 KB) config-pfSense.localdomain-20120331043309.xml | Chris Buechler, 03/31/2012 12:29 AM |
Updated by Chris Buechler over 12 years ago
Updated by Darren Embry over 12 years ago
If you could give me steps to reproduce/get to state where there should be a start button but isn't one, that would be awesome. More stuff I've never really dealt with here so I'm not sure what settings I'd have to change, etc.
Updated by Chris Buechler over 12 years ago
example config attached. See Status>IPsec. The one with "Local network" LAN has the Start button. If you check Firewall>Virtual IPs, you'll see 192.168.2.1 is assigned to the LAN, and hence there should be a start button on the second one as well (it can initiate traffic from the "local network" as it has an IP within that subnet).
Updated by Darren Embry over 12 years ago
Would this be the proper link URL?
/diag_ipsec.php?act=connect&remoteid=192.168.44.0&source=192.168.2.1
And what if multiple IP addresses within 192.168.2.0/24 are assigned to the LAN? (would this ever be true?) just use the first one found?
Updated by Darren Embry over 12 years ago
what if an ipsec had 192.168.2.0/28 and the virtual ip's had 192.168.2.1/24?
what if an ipsec had 192.168.2.0/24 and the virtual ip's had 192.168.2.1/28?
Updated by Jim Pingle over 12 years ago
In any of those cases it doesn't matter as long as there is a VIP somewhere inside of the IPsec subnet it will work.
In either of your example cases, the VIP of .1 is still inside that subnet/IP range, so it would still work.
Updated by Darren Embry over 12 years ago
Just pushed 59231855 which is about all I can do at this point.
I don't have a way of testing whether the start button for an IPsec on an alias is going to work.
And this probably needs more testing, generally, but with attached XML config the start button shows up.
Reassigning to Chris.
I use check_subnets_overlap so both cases above should work fine.
Updated by Chris Buechler almost 12 years ago