diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml
index a4c5d4acc..602d07a9d 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml
@@ -37,6 +37,21 @@
The size of the subnet containing local and remote will be calculated automatically
+
+ vti.tunnel_local2
+
+ text
+ Inner tunnel local address to be used for routing purposes.
+
+
+ vti.tunnel_remote2
+
+ text
+
+ Inner tunnel remote address to be used for routing purposes.
+ The size of the subnet containing local and remote will be calculated automatically
+
+
vti.description
diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
index 283fdf223..de9b561d5 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
+++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php
@@ -62,8 +62,12 @@ class Swanctl extends BaseModel
}
foreach ($vtis as $key => $node) {
$vti_inets = [];
- foreach (['local', 'remote', 'tunnel_local', 'tunnel_remote'] as $prop) {
- $vti_inets[$prop] = strpos((string)$node->$prop, ':') > 0 ? 'inet6' : 'inet';
+ foreach (['local', 'remote', 'tunnel_local', 'tunnel_remote', 'tunnel_local2', 'tunnel_remote2'] as $prop) {
+ if (empty((string)$node->$prop)) {
+ $vti_inets[$prop] = '-';
+ } else {
+ $vti_inets[$prop] = strpos((string)$node->$prop, ':') > 0 ? 'inet6' : 'inet';
+ }
}
if ($vti_inets['local'] != $vti_inets['remote']) {
@@ -72,6 +76,12 @@ class Swanctl extends BaseModel
if ($vti_inets['tunnel_local'] != $vti_inets['tunnel_remote']) {
$messages->appendMessage(new Message(gettext("Protocol families should match"), $key . ".tunnel_local"));
}
+ if ($vti_inets['tunnel_local2'] != $vti_inets['tunnel_remote2']) {
+ $messages->appendMessage(
+ new Message(gettext("Protocol families should match"),
+ $key . ".tunnel_local2")
+ );
+ }
}
foreach ($spds as $key => $node) {
@@ -249,6 +259,19 @@ class Swanctl extends BaseModel
]
]
];
+ if (!empty((string)$node->tunnel_local2)) {
+ // add optional secondary address
+ $inet = strpos((string)$node->tunnel_local2, ':') > 0 ? 'inet6' : 'inet';
+ $result['ipsec' . (string)$node->reqid]['networks'][] = [
+ 'inet' => $inet,
+ 'tunnel_local' => (string)$node->tunnel_local2,
+ 'tunnel_remote' => (string)$node->tunnel_remote2,
+ 'mask' => Util::smallestCIDR(
+ [(string)$node->tunnel_local2, (string)$node->tunnel_remote2],
+ $inet
+ )
+ ];
+ }
}
}
return $result;
diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
index 331e88580..dc0b288cf 100644
--- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
@@ -381,6 +381,16 @@
Y
Please specify a valid address.
+
+ N
+ N
+ Please specify a valid address.
+
+
+ N
+ N
+ Please specify a valid address.
+