summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Smith <mgsmith@netgate.com>2014-08-08 17:20:49 -0500
committerMatt Smith <mgsmith@netgate.com>2014-08-08 17:20:49 -0500
commita3331d720c120a8d34d9c44a915ea070e424191d (patch)
treebe333a98eba21d14d3a27ca28fd8d90ac5788f5b
parentffb8e02fc2cae6c603e786d3688e81d3fb05d7c6 (diff)
downloadpfsense-a3331d720c120a8d34d9c44a915ea070e424191d.zip
pfsense-a3331d720c120a8d34d9c44a915ea070e424191d.tar.gz
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
-rw-r--r--etc/inc/vpn.inc21
1 files changed, 17 insertions, 4 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index b047132..e384a24 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -194,8 +194,11 @@ function vpn_ipsec_configure($ipchg = false)
if ($ph2ent['pinghost']) {
if (!is_array($iflist))
$iflist = get_configured_interface_list();
- foreach ($iflist as $ifent => $ifname) {
- if(is_ipaddrv6($ph2ent['pinghost'])) {
+ $viplist = get_configured_vips_list();
+ $srcip = null;
+ $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
+ if(is_ipaddrv6($ph2ent['pinghost'])) {
+ foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ipv6($ifent);
if(!is_ipaddrv6($interface_ip))
continue;
@@ -204,17 +207,27 @@ function vpn_ipsec_configure($ipchg = false)
$srcip = $interface_ip;
break;
}
- } else {
+ }
+ } else {
+ foreach ($iflist as $ifent => $ifname) {
$interface_ip = get_interface_ip($ifent);
if(!is_ipaddrv4($interface_ip))
continue;
- $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
$srcip = $interface_ip;
break;
}
}
}
+ /* if no valid src IP was found in configured interfaces, try the vips */
+ if (is_null($srcip)) {
+ foreach ($viplist as $vip) {
+ if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
+ $srcip = $vip['ipaddr'];
+ break;
+ }
+ }
+ }
$dstip = $ph2ent['pinghost'];
if(is_ipaddrv6($dstip)) {
$family = "inet6";
OpenPOWER on IntegriCloud