Project

General

Profile

Actions

Bug #3798

closed

IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address

Added by Matthew Smith over 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
-
Start date:
08/08/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Amazon VPC provides a /30 to use as "tunnel inside addresses". They are addresses that can be configured on the VPN endpoints and can serve as an endpoint to ping or as BGP peers.
One of the addresses in the /30 can be set up as a virtual IP on lo0 (or some other interface) and the other address is configured on Amazon's VPN endpoint.

If you wish to set up the VPC side endpoint address as an address to automatically ping, it doesn't work. The logic in /etc/inc/vpn.inc only looks for ping source addresses from configured interfaces. It doesn't check virtual IP addresses.

Setting up a phase 2 entry for traffic from the virtual IP address on the pfSense box to the IP address on the VPC side and then setting the IP address on the VPC side as a host to automatically ping results in no corresponding entry being added to /var/db/ipsecpinghosts.

This affects both 2.1 and 2.2.

Actions

Also available in: Atom PDF