Bug #3798
closed
IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address
100%
Description
Amazon VPC provides a /30 to use as "tunnel inside addresses". They are addresses that can be configured on the VPN endpoints and can serve as an endpoint to ping or as BGP peers.
One of the addresses in the /30 can be set up as a virtual IP on lo0 (or some other interface) and the other address is configured on Amazon's VPN endpoint.
If you wish to set up the VPC side endpoint address as an address to automatically ping, it doesn't work. The logic in /etc/inc/vpn.inc only looks for ping source addresses from configured interfaces. It doesn't check virtual IP addresses.
Setting up a phase 2 entry for traffic from the virtual IP address on the pfSense box to the IP address on the VPC side and then setting the IP address on the VPC side as a host to automatically ping results in no corresponding entry being added to /var/db/ipsecpinghosts.
This affects both 2.1 and 2.2.
Updated by Matthew Smith over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset dc63467f3f8910f9cad7be877274ce939fb7ec4f.
Updated by Matthew Smith over 10 years ago
Applied in changeset a3331d720c120a8d34d9c44a915ea070e424191d.
Updated by Chris Buechler about 10 years ago
- Description updated (diff)
- Status changed from Feedback to Resolved
fixed