Project

General

Profile

Bug #5500

IPsec won't create firewall rules when you use an IP Alias on "Interface"

Added by Heiler Bemerguy over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
11/20/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

Set interface to an IP Alias:
[2.2.5-RELEASE]/root: pfctl -sr |grep -i ipsec
anchor "ipsec/*" all
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"

Set interface to an interface "name" (like WAN, LAN)
[2.2.5-RELEASE]/root: pfctl -sr | grep -i ipsec
anchor "ipsec/*" all
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass out route-to (vmx2 201.72.x.x) inet proto udp from (self) to 170.66.x.x port = isakmp keep state label "IPsec: Acesso BB - outbound isakmp"
pass in on vmx2 reply-to (vmx2 201.72.x.x) inet proto udp from 170.66.x.x to (self) port = isakmp keep state label "IPsec: Acesso BB - inbound isakmp"
pass out route-to (vmx2 201.72.x.x) inet proto udp from (self) to 170.66.x.x port = sae-urn keep state label "IPsec: Acesso BB - outbound nat-t"
pass in on vmx2 reply-to (vmx2 201.72.x.x) inet proto udp from 170.66.x.x to (self) port = sae-urn keep state label "IPsec: Acesso BB - inbound nat-t"
pass out route-to (vmx2 201.72.x.x) inet proto esp from (self) to 170.66.x.x keep state label "IPsec: Acesso BB - outbound esp proto"
pass in on vmx2 reply-to (vmx2 201.72.x.x) inet proto esp from 170.66.x.x to (self) keep state label "IPsec: Acesso BB - inbound esp proto"

Associated revisions

Revision c8705b31 (diff)
Added by Chris Buechler over 3 years ago

Account for IP aliases in IPsec firewall rules. Ticket #5500

Revision 2a5960b0 (diff)
Added by Luiz Souza over 3 years ago

Review of CARP uniqid changes.

It turns out that current CARP implementation is not much different from an IP alias.

This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:

- A friendly interface name (lan, wan, opt1, etc.);
- A Virtual IP - VIP alias (_vip{$uniqid}) - CARP or IP Alias.

The parent of a CARP is always a friendly interface. The parent of an IP alias can be a friendly interface or a CARP (this is the only case of recursion of a VIP).

This commit removes a few cases where CARP were still considered a interface (the old CARP implementation), fixes all the wrong cases of strpos() being used to detect a VIP address (wont work as it returns '0' which fails when tested as 'TRUE'), review the usage of CARP and IP alias as services bind addresses, fixes general issues of adding and editing VIP addresses.

The following subsystems were affected by this changes:

- IPSEC;
- OpenVPN;
- dnsmasq;
- NTP;
- gateways and gateway groups;
- IPv6 RA;
- GRE interfaces;
- CARP status;
- Referrer authentication.

Fixes (and/or revisit) the following tickets:

- Ticket #3257
- Ticket #3716
- Ticket #4450
- Ticket #4858
- Ticket #5441
- Ticket #5442
- Ticket #5500
- Ticket #5783
- Ticket #5844

History

#1 Updated by Chris Buechler over 3 years ago

  • Project changed from pfSense Packages to pfSense
  • Category set to IPsec

#2 Updated by Jim Thompson over 3 years ago

  • Assignee set to Chris Buechler

assigned to cmb for confirmation.

#3 Updated by Chris Buechler over 3 years ago

  • Status changed from New to Feedback
  • Affected Version changed from 2.2.x to All

should be fixed, leaving for additional confirmation.

#4 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

works

#5 Updated by Jim Thompson over 3 years ago

  • Status changed from Resolved to Assigned
  • Assignee changed from Chris Buechler to Luiz Souza

reopened, assigned to Luiz. apparently there is a better fix.

#6 Updated by Luiz Souza over 3 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

This is now fixed and tested with CARP and IP Aliases.

#7 Updated by Chris Buechler over 3 years ago

  • Status changed from Resolved to Feedback
  • Assignee changed from Luiz Souza to Chris Buechler

to me to confirm

#8 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

still correct for IP aliases and CARP

Also available in: Atom PDF