IPSec validation should prevent phase2 policies(subnets) to include remote peer on it
It would be nice to have validation of phase2 subnets to not include the remote peer of ipsec phase1 to avoid loops after tunnel establishment.
#3 Updated by Chris Buechler almost 4 years ago
- Status changed from New to Feedback
- Assignee changed from Ermal Luçi to Chris Buechler
- Affected Version changed from 2.2 to All
- Affected Documentation 0 added
fix pushed and tested, leaving for further testing and confirmation. The check only prevents P2s where the local+remote of the P2 both fall within the interface and remote-gateway of its P1. Seems to work and cover all circumstances where that would be a problem.