Project

General

Profile

Bug #9801

VTI IPv6 addresses don't get assigned

Added by Ben Hughes 23 days ago. Updated 23 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
09/29/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

When a IPsec VPN has a v6 VTI phase 2assigned, the address is never assigned to the ipsecXXXX interface due to this error:

/vpn_ipsec.php: The command '/sbin/ifconfig 'ipsec2000' inet '2001:db8::2/126' '2001:db8::1'' returned exit code '1', the output was 'ifconfig: 2001:db8::2/126: bad value (width too large)'

If I manually assign the address with '/sbin/ifconfig 'ipsec2000' inet6 '2001:db8::2/126 then the tunnel will happily pass IPv6 traffic between the addresses.

It seems that the v6 addresses are incorrectly identified as v4 and I also don't think that it is the correct syntax for v6 address as if I just change the inet to inet6 I get this error:

ifconfig: ioctl (SIOCAIFADDR): Invalid argument

History

#1 Updated by Ben Hughes 23 days ago

It seems that the is_ipaddrv6 function checks for a "/" in the address and if so decides it can't possibly be a v6 address, the PEAR Net_IPv6 module does correctly detect it as an IPv6 address but there this check is in there for compat reasons (not sure why). This is why it incorrectly tries to apply a v6 address as a v4 one. Also the command to apply it doesn't seem to be correct either.

So a quick and very dirty hack that seems to solve the problem (introducing what else I don't know) is:

In src/etc/inc/util.inc:665 comment out the check for (strstr($ipaddr, "/")) and in src/etc/interfaces.inc:1441 alter the inet6 ifconfig call to remove the right side address and alias command.

That seems to reliably bring the VTI interface back up with both it's IPv4 and IPv6 addresses and allow traffic to pass, obviously it could do with a more production-ready fix but hopefully it makes that a little bit easier to implement.

Also available in: Atom PDF