From 1e8ebbfc0d54e85e48df06c0927dfa5343ca3a51 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 19 Jul 2019 16:24:59 +0200
Subject: [PATCH] IPSec, NAT before IPsec changes as discussed
 https://github.com/opnsense/core/issues/1773#issuecomment-513239146

---
 src/etc/inc/plugins.inc.d/ipsec.inc | 36 ++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 059075db4..25463afc1 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -665,17 +665,15 @@ function ipsec_configure_spd()
     // add manual added spd entries
     if (!empty($config['ipsec']['phase1']) && !empty($config['ipsec']['phase2'])) {
         foreach ($config['ipsec']['phase1'] as $ph1ent) {
+            if (!empty($ph1ent['disabled'])) {
+                continue;
+            }
             foreach ($config['ipsec']['phase2'] as $ph2ent) {
                 if (!isset($ph2ent['disabled']) && $ph1ent['ikeid'] == $ph2ent['ikeid'] && !empty($ph2ent['spd'])) {
-                    $myid_data = ipsec_get_phase1_src($ph1ent);
-                    // XXX: remove me, temporary logging to validate https://github.com/opnsense/core/issues/1773
-                    $myid_data_prev = ipsec_find_id($ph1ent, "local");
-                    if ($myid_data_prev != $myid_data) {
-                        log_error(sprintf(
-                          "spdadd: using %s in source policy, local id set to %s", $myid_data, $myid_data_prev
-                        ));
-                    }
+                    $tunnel_src = ipsec_get_phase1_src($ph1ent);
+                    $tunnel_dst = ipsec_resolve($ph1ent['remote-gateway']);
 
+                    // XXX: remove me, temporary logging to validate https://github.com/opnsense/core/issues/1773
                     $peerid_spec = ipsec_find_id($ph1ent, "peer");
                     if (!is_ipaddr($peerid_spec)) {
                         if (is_ipaddr($ph1ent['remote-gateway'])) {
@@ -686,9 +684,25 @@ function ipsec_configure_spd()
                                 $peerid_spec,
                                 $ph1ent['remote-gateway']
                             ));
-                            continue;
                         }
                     }
+                    $myid_data = ipsec_find_id($ph1ent, "local");
+                    if ($myid_data != $tunnel_src) {
+                        log_error(sprintf(
+                          "spdadd: using %s in source policy, local id set to %s", $tunnel_src, $myid_data
+                        ));
+                    }
+                    if ($peerid_spec != $tunnel_dst) {
+                        log_error(sprintf(
+                          "spdadd: using %s in destination policy, peer id set to %s", $tunnel_dst, $peerid_spec
+                        ));
+                    }
+                    // XXX: end
+
+                    if (empty($tunnel_dst) || empty($tunnel_src)) {
+                        continue;
+                    }
+
                     foreach (explode(',', $ph2ent['spd']) as $local_net) {
                         $proto = $ph2ent['mode'] == "tunnel" ? "4" : "6";
                         $remote_net = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);
@@ -698,8 +712,8 @@ function ipsec_configure_spd()
                             trim($local_net),
                             $remote_net,
                             $ph2ent['protocol'],
-                            $myid_data,
-                            $peerid_spec
+                            $tunnel_src,
+                            $tunnel_dst
                         );
                     }
                 }