Project

General

Profile

Bug #3812

IPSec validation should prevent phase2 policies(subnets) to include remote peer on it

Added by Ermal Luçi over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
08/18/2014
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

It would be nice to have validation of phase2 subnets to not include the remote peer of ipsec phase1 to avoid loops after tunnel establishment.

Associated revisions

Revision 6c3be365 (diff)
Added by Chris Buechler about 4 years ago

Don't allow P2 local+remote network combinations that overlap with
interface+remote-gateway of the P1. Fixes #3812

History

#1 Updated by Jim Thompson over 4 years ago

  • Tracker changed from Feature to Bug
  • Assignee set to Ermal Luçi
  • Target version set to 2.2

#2 Updated by Jim Thompson over 4 years ago

  • Affected Version changed from All to 2.2

#3 Updated by Chris Buechler about 4 years ago

  • Status changed from New to Feedback
  • Assignee changed from Ermal Luçi to Chris Buechler
  • Affected Version changed from 2.2 to All
  • Affected Documentation 0 added

fix pushed and tested, leaving for further testing and confirmation. The check only prevents P2s where the local+remote of the P2 both fall within the interface and remote-gateway of its P1. Seems to work and cover all circumstances where that would be a problem.

#4 Updated by Chris Buechler about 4 years ago

  • % Done changed from 0 to 100

#5 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

this is good

Also available in: Atom PDF