Feature #1864
closed
"Start" button for IPsec should be available for IP alias networks
0%
Description
If the local subnet of an IPsec network is an IP alias, the "start" button under Status>IPsec doesn't show up. That's normal where it isn't really a direct attached network, but should add consideration for IP alias subnets that are assigned.
Files
Updated by Chris Buechler over 12 years ago
- Status changed from New to Assigned
- Assignee set to Darren Embry
- Target version set to 2.1
Updated by Darren Embry over 12 years ago
- Status changed from Assigned to Feedback
If you could give me steps to reproduce/get to state where there should be a start button but isn't one, that would be awesome. More stuff I've never really dealt with here so I'm not sure what settings I'd have to change, etc.
Updated by Chris Buechler over 12 years ago
- File config-pfSense.localdomain-20120331043309.xml config-pfSense.localdomain-20120331043309.xml added
- Status changed from Feedback to Assigned
- Affected Version set to All
example config attached. See Status>IPsec. The one with "Local network" LAN has the Start button. If you check Firewall>Virtual IPs, you'll see 192.168.2.1 is assigned to the LAN, and hence there should be a start button on the second one as well (it can initiate traffic from the "local network" as it has an IP within that subnet).
Updated by Darren Embry over 12 years ago
Would this be the proper link URL?
/diag_ipsec.php?act=connect&remoteid=192.168.44.0&source=192.168.2.1
And what if multiple IP addresses within 192.168.2.0/24 are assigned to the LAN? (would this ever be true?) just use the first one found?
Updated by Darren Embry over 12 years ago
what if an ipsec had 192.168.2.0/28 and the virtual ip's had 192.168.2.1/24?
what if an ipsec had 192.168.2.0/24 and the virtual ip's had 192.168.2.1/28?
Updated by Jim Pingle over 12 years ago
In any of those cases it doesn't matter as long as there is a VIP somewhere inside of the IPsec subnet it will work.
In either of your example cases, the VIP of .1 is still inside that subnet/IP range, so it would still work.
Updated by Darren Embry over 12 years ago
- Assignee changed from Darren Embry to Chris Buechler
Just pushed 59231855 which is about all I can do at this point.
I don't have a way of testing whether the start button for an IPsec on an alias is going to work.
And this probably needs more testing, generally, but with attached XML config the start button shows up.
Reassigning to Chris.
I use check_subnets_overlap so both cases above should work fine.
Updated by Chris Buechler almost 12 years ago
- Status changed from Assigned to Resolved