Project

General

Profile

Actions

Bug #2984

closed

IPSec adds route but isn't needed any more

Added by Grischa Zengel over 11 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
IPsec
Target version:
Start date:
05/07/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

Since route-to and reply-to rules are added, no routing entries are needed any more.

  1. This code worked only with dhcp interfaces, because interface_has_gateway is false on static ips.
  2. The removing code worked only on interface wan.
  3. I have tested this on different interfaces (wan,opt1,dhcp, static ip) with different default gateways.

This code should be obsolet in vpn.inc:

                                /* static route needed? */
                                if (is_ipaddr($ph1ent['interface'])) {
                                        $vip = find_virtual_ip_alias($ph1ent['interface']);
                                        if (preg_match("/^carp|^[a-z0-9]+_vip/i", $vip['interface']))
                                                $parentinterface = link_carp_interface_to_parent($vip['interface']);
                                        else
                                                $parentinterface = $vip['interface'];
                                } else if (preg_match("/^carp|^[a-z0-9]+_vip/i", $ph1ent['interface']))
                                        $parentinterface = link_carp_interface_to_parent($ph1ent['interface']);
                                else
                                        $parentinterface = $ph1ent['interface'];

                                if (is_ipaddr($rgip)) {
                                        /* add endpoint routes to correct gateway on interface */
                                        if (interface_has_gateway($parentinterface)) {
                                                $gatewayip = get_interface_gateway("$parentinterface");
                                                $interfaceip = get_interface_ip($parentinterface);
                                                $subnet_bits = get_interface_subnet($parentinterface);
                                                $subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}");
                                                /* if the remote gateway is in the local subnet, then don't add a route */
                                                if (! ip_in_subnet($rgip, "{$subnet_ip}/{$subnet_bits}")) {
                                                        if(is_ipaddr($gatewayip)) {
                                                                /* FIXME: does adding route-to and reply-to on the in/outbound
                                                                 * rules fix this? smos@ 13-01-2009 */
                                                                // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}");
                                                                mwexec("/sbin/route change -host {$rgip} {$gatewayip}", true);
                                                        }
                                                }
                                        }
                                }

This means no routes have to delete in vpn_ipsec_phase1.php. This code could be removed, too:

                if ($pconfig['interface'] <> "wan") {
                        if($old_ph1ent['remote-gateway'] <> $pconfig['remotegw']) {
                                mwexec("/sbin/route delete -host {$old_ph1ent['remote-gateway']}");
                        }
                }

Perhaps you can remove /sbin/route from pfSense_BUILDER_BINARIES in vpn.inc.

Actions #1

Updated by Ermal Luçi over 11 years ago

I wouldn't make this removed.
The problem is that reply-to/route-to are dynamic based on gateway status.
While static routes are still there.

There are 2 sides of this but better keep the static route and probably set your interface to a gateway group to solve this.

Actions #2

Updated by Chris Buechler over 11 years ago

  • Target version changed from 2.1 to 2.2
  • Affected Version deleted (2.1)

something to be re-evaluated in the future.

Actions #3

Updated by Jim Thompson over 10 years ago

  • Assignee set to Ermal Luçi

assigned to Ermal for final evaluation. Fix it or close it.

Actions #4

Updated by Ermal Luçi over 10 years ago

  • Target version changed from 2.2 to 2.3

The fix for this will not be applied in 2.2 due to high impact on how things are done.

Strongswan can add the routes itself by now but that is a big change for 2.2 and being skipped forward!

Actions #5

Updated by Ermal Luçi almost 10 years ago

  • Status changed from New to Feedback

The routes are not present anymore since 2.2.

Actions #6

Updated by Chris Buechler almost 10 years ago

  • Status changed from Feedback to Resolved
  • Target version changed from 2.3 to 2.2

this works in 2.2

Actions

Also available in: Atom PDF