Project

General

Profile

Bug #3798

IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address

Added by Matthew Smith over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
-
Start date:
08/08/2014
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

Amazon VPC provides a /30 to use as "tunnel inside addresses". They are addresses that can be configured on the VPN endpoints and can serve as an endpoint to ping or as BGP peers.
One of the addresses in the /30 can be set up as a virtual IP on lo0 (or some other interface) and the other address is configured on Amazon's VPN endpoint.

If you wish to set up the VPC side endpoint address as an address to automatically ping, it doesn't work. The logic in /etc/inc/vpn.inc only looks for ping source addresses from configured interfaces. It doesn't check virtual IP addresses.

Setting up a phase 2 entry for traffic from the virtual IP address on the pfSense box to the IP address on the VPC side and then setting the IP address on the VPC side as a host to automatically ping results in no corresponding entry being added to /var/db/ipsecpinghosts.

This affects both 2.1 and 2.2.

Associated revisions

Revision dc63467f (diff)
Added by Matthew Smith over 4 years ago

Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'

Revision a3331d72 (diff)
Added by Matthew Smith over 4 years ago

Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'

History

#1 Updated by Matthew Smith over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Chris Buechler over 4 years ago

  • Description updated (diff)
  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF