Project

General

Profile

Bug #815

IPSEC VPN creation fails if LAN I/F has no IP address.

Added by simon allen about 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
IPsec
Target version:
Start date:
08/10/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

vpn.inc makes the assumption that the LAN interface will have an IP address. In the case where it does not (for example where there is a bridge with the LAN interface as a member), vpn.inc appears to create two erroneous spdadd lines at the top of spd.conf which prevents the VPN tunnel from becoming established.

As a test, the follwoing lines in vpn.inc were changed from :

$lanip = get_interface_ip("lan");
$lansn = get_interface_subnet("lan");

to
$lanip = get_interface_ip("bridge0");
$lansn = get_interface_subnet("bridge0");

after which the correct syntax spdadd lines are added to spd.conf and the VPN comes up as expected.

Maybe the correct action is to inspect bridges if the LAN address is null, to see if they contain the LAN interface as member and use their address details instead? (although $lanip, $lansn are only used as a failsafe it would appear to stop the user locking themselves out so that may be overkill..?)

Associated revisions

Revision 6c74ac23 (diff)
Added by Ermal Luçi about 9 years ago

Resolves #815. Do not add protection rules if lan interface has no ip.

History

#1 Updated by Ermal Luçi about 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF