Bug #2884
closed
Tunnel status in case of NAT before IPSec
Added by Michele Di Maria over 11 years ago.
Updated over 11 years ago.
Description
Hi,
the status of the Phase2 is reported as down in case of NAT before IPSec, while the tunnel is up and working properly.
The SPD entries look like (Source, Destination, Direction):
- Remote network, Local natted network, >
- Local non-natted network, Remote network, <
Looking at the code, the Phase2 is reported down because the entries are not "specular" (natted/not natted).
Thanks,
Michele
- Category set to IPsec
- Target version set to 2.1
I've noticed this on every install I've worked on with NAT lately too, it works just fine but the status always shows down.
Since the SPD entries are not specular, in stead of searching for the "in" entry, we could look for the "out" entry, which is the same for natted/not natted entries... in this case the tunnel is reported as working.
To do that, we should change in /etc/inc/ipsec.inc the line 357 to:
else if (!empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id))
Chris, if you think this is not a problem I can change it on GitHub...
That sounds sane. I haven't dug into this part of the code though. If it works and you think that's reasonable, go ahead and send a pull request.
- Status changed from New to Feedback
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by