Project

General

Profile

Actions

Bug #2818

closed

IPSec phase2 "Automatically ping host" function broken. Bug confirmed.

Added by Dan Lundqvist almost 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
02/14/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
All

Description

Tested on: 2.1-BETA1 (i386) built on Sun Feb 10 22:04:57 EST 2013
plus small manual correction from gitsync regarding "link down".
Also have not seen any checkins related to this kind of problem in build between 10-15 Feb.

The IPSec phase2 "Automatically ping host" does not work for IPv4 configured phase 2 tunnels.

Some investigation ruled that the root cause is that the "/var/db/ipsecpinghosts" and "/var/db/currentipsecpinghosts"
does not get populated with IPv4 entries even if they are defined in the IPSec phase2 settings.

I have also tried to clear / apply / reconfigure / apply with recent build but same result.
Only the IPv6 entries is stored.

Which will have the result that NO IPv4 tunnels will have any AutoPing running.

I have confirmed both with printouts of the files above and also verified by doing PacketCapture that only
IPv6 pings are getting through which corresponds to what I see in the ipsecpinghosts and currentipsecpinghosts.

I will remove some uniqe details in my IP to protect and replace with xxx (local) and yyy (remote).

[2.1-BETA1][]/var/db(3): cat ipsecpinghosts
2001:470:28:xxx::1|2001:470:28:yyy::1|3|||||inet6|

[2.1-BETA1][]/var/db(4): cat currentipsecpinghosts
2001:470:28:xxx::1|2001:470:28:yyy::1|3|||||inet6|

Also see attached config.xml for section: IPSec, Interfaces, Gateways.

Best regards
Dan Lundqvist
Stockholm Sweden


Files

Actions #1

Updated by Dan Lundqvist almost 9 years ago

Updated to "2.1-BETA1 (i386) built on Thu Feb 14 16:27:05 EST 2013" and
tried to tried to clear / apply / reconfigure / apply but same result.
Still does not get IPv4 addresses populated in the ipsecpinghosts.

/Dan Lundqvist

Actions #2

Updated by Renato Botelho almost 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Dan Lundqvist almost 9 years ago

The correction does not work.
The problem is that the $ipsecpinghosts is NOT treated as a table but rather as a single string.
Regardless where you place the @file_put_contents it will only contain the last read string into the $ipsecpinghosts when it is saved.

I am not 100% sure how the @file_put_contents function if it overwrites the file every time or appends ?
I suspect that every time when you try to do the @file_put_contents it overwrites any previous data so even if you
move it closer into the "foreach" loop it will still get the same result as file/data is getting overwritten every time.

At least this is what I am seeing when I am doing troubleshooting.

Looks like someone needs to rethink this and make a new correction.

//Dan Lundqvist

Actions #4

Updated by Dan Lundqvist almost 9 years ago

Or there is something wrong so it doesn't create an array even if it suppose to do it (the $ipsecpinghosts*[]* )
Or there is something wrong that the @file_put_contents doesn't detect that it should save it as an array
and save it as a single-string (just getting the last item in the array).

http://php.net/manual/en/function.file-put-contents.php

If I try to remove the IPv6 AutoPing IP (that is the 3rd IPsec tunnel), the IP from the 2nd IPsec shows up in the
ipsecpinghosts file but only that item.

//Dan Lundqvist

Actions #5

Updated by Dan Lundqvist almost 9 years ago

I think I found the problem.

It needed to be even one more step out of the loop at the end of the foreach phase1 loop as you are doing an “unset($ipsecpinghosts);” which clears the variable
so it was cleared at every phase2 iteration instead of after the whole phase1/phase2 iteration causing only the last phase2 iteration to stick in the file.
I have now tested this and now it works OK...

}
$dstip = $ph2ent['pinghost'];
if(is_ipaddrv6($dstip)) {
$family = "inet6";
} else {
$family = "inet";
}
if (is_ipaddr($srcip))
$ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n";
}
}
ORIGINAL PLACE BEFORE CORRECTION
}
OLD PLACE BY YOUR CORRECTION
}
NEW PLACE @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
NEW PLACE unset($ipsecpinghosts);
}

//Dan Lundqvist

Actions #7

Updated by Dan Lundqvist almost 9 years ago

Thanks for that Renato. :-)

//Dan

Actions #8

Updated by Renato Botelho almost 9 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF