When a failover ipsec ip address is defined, use it as the ip address endpoint for ipsec.

1 files changed, 7 insertions, 1 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 04b574b..ba638c8 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2420,6 +2420,12 @@ EOD;
 						$interface_ip = find_interface_ip(get_real_wan_interface());
 					else
 						$interface_ip = find_interface_ip(convert_friendly_interface_to_real_interface_name($iface));
+					/* if failover ip is set, use it */
+					if(isset($config['installedpackages']['sasyncd']))
+						if ($config['installedpackages']['sasyncd']['config'] <> "")
+							foreach ($config['installedpackages']['sasyncd']['config'] as $sasyncd)
+								if ($sasyncd['ip'] <> "")
+									$interface_ip = $sasyncd['ip'];
 					$ipfrules .= "pass out quick on \${$iface} proto udp from {$interface_ip} to {$remote_gateway} port = 500 keep state label \"IPSEC: {$tunnel['descr']} - outbound isakmp\"\n";
 					$ipfrules .= "pass in quick on \${$iface} proto udp from {$remote_gateway} to $interface_ip port = 500 keep state label \"IPSEC: {$tunnel['descr']} - inbound isakmp\"\n";
 					if ($tunnel['p2']['protocol'] == 'esp') {
@@ -2833,4 +2839,4 @@ function return_vpn_subnet($adr) {
 
 }
 
-?>
+?>
\ No newline at end of file