Project

General

Profile

Actions

Bug #4848

closed

The remote gateway "ip-adres is already used by phase1 "name of phase 1"

Added by Stefan Kooman over 8 years ago. Updated about 8 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
07/16/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
amd64

Description

If you clone (copy phase 1 entry) a "phase 1" IPsec connection and only change the "P1 Description" and hit the save button the configurator gives an error "The remote gateway "ip-adres is already used by phase1 "name of phase 1". This seems to indicate that you can only setup a a single Phase 1 for a given ip. However, if you tick the box "Disable this phase1 entry", save the configuration, edit the configuration again, change the description to a unique value and untick "Disabled" (so enabling this phase 1 entry) it does not give an error. The two phase 1 configurations (with each of them a phase 2 configuration) work as well. So there is a workaround to have multiple phase 1 entries for a given ip-adress.

Actions #1

Updated by Chris Buechler over 8 years ago

  • Status changed from New to Feedback

The issue as described isn't replicable. You get the same error in that described circumstance. The check there is for each local interface and IP, and remote IP/hostname. And checking only enabled connections. The description isn't involved in that check at all.

I'm guessing you changed the WAN, or the remote IP? Or disabled the one you initially duplicated? If interface and remote are the same as an enabled connection, it triggers that validation.

There should be no legit use case for scenarios that fail this validation (and it could be problematic in some scenarios to allow it). It probably works in many cases, but it's not permitted as it's likely never a good idea nor necessary. Do you have a use case where that's necessary or desirable?

Actions #2

Updated by Stefan Kooman over 8 years ago

"If interface and remote are the same as an enabled connection, it triggers that validation." <- This is what I did. Two seperate phase 2 networks over 1 phase one IPsec tunnel did not work. So we tried this solution and it worked immediately. The other side is a "Astaro ASG220", Sophos firewall nowadays. It's not desirable but this is the use case. Maybe this valdiation / check can be changed into a warning to avoid people using this solution, but still make it (easily) possible, as this was the only way to a working solution.

Actions #3

Updated by Chris Buechler about 8 years ago

  • Status changed from Feedback to Not a Bug
  • Affected Version deleted (2.2.3)
Actions

Also available in: Atom PDF