From eb74bd05ffa216090be7b797f1f807b35cad18dc Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 21 Nov 2023 16:18:57 +0100 Subject: [PATCH] VPN: IPsec: Virtual Tunnel Interfaces - add secondary tunnel address pair for dual-stack purposes. closes https://github.com/opnsense/core/issues/6777 --- .../OPNsense/IPsec/forms/dialogVTI.xml | 15 +++++++++++ .../mvc/app/models/OPNsense/IPsec/Swanctl.php | 27 +++++++++++++++++-- .../mvc/app/models/OPNsense/IPsec/Swanctl.xml | 10 +++++++ 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml index a4c5d4acc..602d07a9d 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/dialogVTI.xml @@ -37,6 +37,21 @@ The size of the subnet containing local and remote will be calculated automatically + + vti.tunnel_local2 + + text + Inner tunnel local address to be used for routing purposes. + + + vti.tunnel_remote2 + + text + + Inner tunnel remote address to be used for routing purposes. + The size of the subnet containing local and remote will be calculated automatically + + vti.description diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php index 283fdf223..de9b561d5 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.php @@ -62,8 +62,12 @@ class Swanctl extends BaseModel } foreach ($vtis as $key => $node) { $vti_inets = []; - foreach (['local', 'remote', 'tunnel_local', 'tunnel_remote'] as $prop) { - $vti_inets[$prop] = strpos((string)$node->$prop, ':') > 0 ? 'inet6' : 'inet'; + foreach (['local', 'remote', 'tunnel_local', 'tunnel_remote', 'tunnel_local2', 'tunnel_remote2'] as $prop) { + if (empty((string)$node->$prop)) { + $vti_inets[$prop] = '-'; + } else { + $vti_inets[$prop] = strpos((string)$node->$prop, ':') > 0 ? 'inet6' : 'inet'; + } } if ($vti_inets['local'] != $vti_inets['remote']) { @@ -72,6 +76,12 @@ class Swanctl extends BaseModel if ($vti_inets['tunnel_local'] != $vti_inets['tunnel_remote']) { $messages->appendMessage(new Message(gettext("Protocol families should match"), $key . ".tunnel_local")); } + if ($vti_inets['tunnel_local2'] != $vti_inets['tunnel_remote2']) { + $messages->appendMessage( + new Message(gettext("Protocol families should match"), + $key . ".tunnel_local2") + ); + } } foreach ($spds as $key => $node) { @@ -249,6 +259,19 @@ class Swanctl extends BaseModel ] ] ]; + if (!empty((string)$node->tunnel_local2)) { + // add optional secondary address + $inet = strpos((string)$node->tunnel_local2, ':') > 0 ? 'inet6' : 'inet'; + $result['ipsec' . (string)$node->reqid]['networks'][] = [ + 'inet' => $inet, + 'tunnel_local' => (string)$node->tunnel_local2, + 'tunnel_remote' => (string)$node->tunnel_remote2, + 'mask' => Util::smallestCIDR( + [(string)$node->tunnel_local2, (string)$node->tunnel_remote2], + $inet + ) + ]; + } } } return $result; diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml index 331e88580..dc0b288cf 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml @@ -381,6 +381,16 @@ Y Please specify a valid address. + + N + N + Please specify a valid address. + + + N + N + Please specify a valid address. +