lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 00:07:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipsec, nat before ipsec. if peer identifier isn't an address, spdadd can't add a tunnel. switch to remote-gateway if that is a valid ip address.

Browse Source 
It's not a complete fix, for https://github.com/opnsense/core/issues/1773 but improves error logging and adds functionality when peer identifier is currently broken.
This commit is contained in:
Ad Schellevis 2019-02-05 11:23:14 +01:00
parent 9a9740dbfe
commit 8f45e0d862
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/etc/inc/plugins.inc.d/ipsec.inc
View File

@ -667,6 +667,17 @@ function ipsec_configure_spd()
if (!isset($ph2ent['disabled']) && $ph1ent['ikeid'] == $ph2ent['ikeid'] && !empty($ph2ent['spd'])) {
$myid_data = ipsec_find_id($ph1ent, "local");
$peerid_spec = ipsec_find_id($ph1ent, "peer");
if (!is_ipaddr($peerid_spec)) {
if (is_ipaddr($ph1ent['remote-gateway'])) {
$peerid_spec = $ph1ent['remote-gateway'];
} else {
log_error(sprintf(
"spdadd: unable to match remote network on %s or %s [skipped]",
$peerid_spec, $ph1ent['remote-gateway']
));
continue;
}
}
foreach (explode(',', $ph2ent['spd']) as $local_net) {
$proto = $ph2ent['mode'] == "tunnel" ? "4" : "6";
$remote_net = ipsec_idinfo_to_cidr($ph2ent['remoteid'], false, $ph2ent['mode']);