diff options
author | Matt Smith <mgsmith@netgate.com> | 2014-08-08 17:20:49 -0500 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2014-08-08 17:20:49 -0500 |
commit | a3331d720c120a8d34d9c44a915ea070e424191d (patch) | |
tree | be333a98eba21d14d3a27ca28fd8d90ac5788f5b /etc/inc | |
parent | ffb8e02fc2cae6c603e786d3688e81d3fb05d7c6 (diff) | |
download | pfsense-a3331d720c120a8d34d9c44a915ea070e424191d.zip pfsense-a3331d720c120a8d34d9c44a915ea070e424191d.tar.gz |
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/vpn.inc | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index b047132..e384a24 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -194,8 +194,11 @@ function vpn_ipsec_configure($ipchg = false) if ($ph2ent['pinghost']) { if (!is_array($iflist)) $iflist = get_configured_interface_list(); - foreach ($iflist as $ifent => $ifname) { - if(is_ipaddrv6($ph2ent['pinghost'])) { + $viplist = get_configured_vips_list(); + $srcip = null; + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + if(is_ipaddrv6($ph2ent['pinghost'])) { + foreach ($iflist as $ifent => $ifname) { $interface_ip = get_interface_ipv6($ifent); if(!is_ipaddrv6($interface_ip)) continue; @@ -204,17 +207,27 @@ function vpn_ipsec_configure($ipchg = false) $srcip = $interface_ip; break; } - } else { + } + } else { + foreach ($iflist as $ifent => $ifname) { $interface_ip = get_interface_ip($ifent); if(!is_ipaddrv4($interface_ip)) continue; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; } } } + /* if no valid src IP was found in configured interfaces, try the vips */ + if (is_null($srcip)) { + foreach ($viplist as $vip) { + if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { + $srcip = $vip['ipaddr']; + break; + } + } + } $dstip = $ph2ent['pinghost']; if(is_ipaddrv6($dstip)) { $family = "inet6"; |