Project

General

Profile

Actions

Bug #3198

closed

IPSEC, when nating to a different size subnet a invalid natting rule is made.

Added by Pi Ba over 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
09/14/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
All

Description

IPSEC, when nating to a different size subnet a invalid natting rule is made.

Reproducable with these phase2 settings:
Local: 192.168.1.0/24
NAT/BINAT: 172.16.44.0/28
Remote: 20.0.0.0/24

[ There were error(s) loading the rules: /tmp/rules.debug:66: binat source mask and redirect mask must be the same - The line in question reads [66]: binat on enc0 from 192.168.1.0/24 to 20.0.0.0/24 -> 172.16.44.0/28]

Also a localnet of 0.0.0.0 and natting that to a subnet generates no rule at all..
Also disabled ipsec rules still generate nat rules..

This can be fixed by: https://github.com/pfsense/pfsense/pull/784

Actions #1

Updated by Josep Pujadas-Jubany almost 8 years ago

I confirm this bug for 2.1.4

https://forum.pfsense.org/index.php?topic=78637 (in Spanish)

Difficult to understand how to apply the patch explained at https://github.com/pfsense/pfsense/pull/784

Actions #2

Updated by Christian Renault almost 8 years ago

I have this bug on 2.1.4 and after applying the patch described in https://github.com/pfsense/pfsense/pull/784, I have a segmentation fault on the firewall at boot time.

Actions #3

Updated by Christian Renault almost 8 years ago

Forgot to add that the VPNs work after the patch, binat is perfect, but my firewall is useless.

Actions #4

Updated by Ermal Luçi over 7 years ago

  • Status changed from New to Feedback

This should be fixed on 2.2

Actions #5

Updated by Chris Buechler over 7 years ago

  • Status changed from Feedback to New
  • Target version set to 2.2

this is still an issue. That pull request was not the answer though.

It should suffice (for 2.2) to add input validation on vpn_ipsec_phase2.php to require using matching subnet sizes where you're using "network" for NAT/BINAT. Either your subnet size has to match (binat), or you need to NAT to a single IP.

Or - allow mismatched subnet sizes, but skip the binat in that circumstance (then people can still manually configure their NAT via outbound NAT).

Actions #6

Updated by Chris Buechler over 7 years ago

  • Status changed from New to Confirmed
Actions #7

Updated by Ermal Luçi over 7 years ago

  • Status changed from Confirmed to Feedback
Actions #8

Updated by Ermal Luçi over 7 years ago

  • % Done changed from 90 to 100
Actions #9

Updated by Chris Buechler over 7 years ago

  • Status changed from Feedback to Resolved

fixed. users will need to manually configure outbound NAT as desired in this circumstance.

Actions

Also available in: Atom PDF