Bug #2884
closed
Tunnel status in case of NAT before IPSec
0%
Description
Hi,
the status of the Phase2 is reported as down in case of NAT before IPSec, while the tunnel is up and working properly.
The SPD entries look like (Source, Destination, Direction):
- Remote network, Local natted network, >
- Local non-natted network, Remote network, <
Looking at the code, the Phase2 is reported down because the entries are not "specular" (natted/not natted).
Thanks,
Michele
Updated by Chris Buechler over 11 years ago
- Category set to IPsec
- Target version set to 2.1
I've noticed this on every install I've worked on with NAT lately too, it works just fine but the status always shows down.
Updated by Michele Di Maria over 11 years ago
Since the SPD entries are not specular, in stead of searching for the "in" entry, we could look for the "out" entry, which is the same for natted/not natted entries... in this case the tunnel is reported as working.
To do that, we should change in /etc/inc/ipsec.inc the line 357 to:
else if (!empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id))
Chris, if you think this is not a problem I can change it on GitHub...
Updated by Chris Buechler over 11 years ago
That sounds sane. I haven't dug into this part of the code though. If it works and you think that's reasonable, go ahead and send a pull request.
Updated by Renato Botelho over 11 years ago
- Status changed from Feedback to Resolved