Feature #6324
closed
Improve IKEv2 multiple traffic selector per SA configuration GUI
0%
Description
On IPsec IKEv2 tunnels, by default all defined Ph2s are configured within a single SA.
This could end up with undesired (and potentially security-compromising) settings (I am aware of the option to disable the single SA behavior, it is not my point)
Example:
Ph2 1: 10.0.0.0/24 <-> 192.168.0.0/24
Ph2 2: 10.0.1.0/24 <-> 192.168.1.0/24
This translates to:
leftsubnet = 10.0.0.0/24,10.0.1.0/24
rightsubnet = 192.168.0.0/24,192.168.1.0/24
Which means that 10.0.0.0/24 and 192.168.1.0/24 now have connectivity although no Ph2 is explicitly defined for them, while on IKEv1 with the same settings they don't.
I believe this is a GUI problem. This is the way I think it should behave:- When IKEv2 with single SA is selected, the GUI should let you create only one Ph2 where you specify all the subnets you want, on both sides, altogether.
- When IKEv2 with split configuration is selected, it should behave as it does right now
- Upgrades from previous versions should default to split configuration to avoid potential security issues.
----
I also found that this (kind of) breaks the IPsec widget. If you have multiple Ph2s defined with single SA settings, the output doesn't make sense, it shows only one tunnel with single subnets and names (the real problem here is that in fact there is just one SA!). I guess this could be easily fixed with the previous proposed solution.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Anonymous