diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-01-21 21:00:25 +0100 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-01-21 21:00:25 +0100 |
commit | c7edf1f8e83bd391b9ddfb19fc9f75b5c24fcbb9 (patch) | |
tree | b97b8d7a151066117eec920685bef256715df72c /etc/inc | |
parent | 260c6a7eeb65af20f83f286e28c757b812d44649 (diff) | |
download | pfsense-c7edf1f8e83bd391b9ddfb19fc9f75b5c24fcbb9.zip pfsense-c7edf1f8e83bd391b9ddfb19fc9f75b5c24fcbb9.tar.gz |
Ticket #4524 Bring back static routes on ipsec to make sure charon does not send traffic through wrong iface. This handles properly ipv6
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/vpn.inc | 47 |
1 files changed, 45 insertions, 2 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 137796c..9ca8277 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -189,7 +189,6 @@ function vpn_ipsec_configure($ipchg = false) $ifacesuse[] = $vpninterface; } - if ($ph1ent['mode'] == "aggressive" && ($ph1ent['authentication_method'] == "pre_shared_key" || $ph1ent['authentication_method'] == "xauth_psk_server")) $aggressive_mode_psk = true; @@ -582,8 +581,52 @@ EOD; if (isset($ph1ent['mobile'])) { $right_spec = "%any"; $passive = 'add'; - } else + } else { $right_spec = $ph1ent['remote-gateway']; + if (is_ipaddrv4($right_spec)) { + if (strpos($ph1ent['interface'], '_vip')) { + $vpninterface = explode('_vip', $ph1ent['interface']); + $ifacesuse = get_real_interface($vpninterface[0]); + } else { + $ifacesuse = get_failover_interface($ph1ent['interface']); + } + + if (!empty($ifacesuse) && interface_has_gateway($parentinterface)) { + $gatewayip = get_interface_gateway($ifacesuse); + $interfaceip = get_interface_ip($ifacesuse); + $subnet_bits = get_interface_subnet($ifacesuse); + $subnet_ip = gen_subnetv4($interfaceip, $subnet_bits); + /* if the remote gateway is in the local subnet, then don't add a route */ + if (!ip_in_subnet($rgip, "{$subnet_ip}/{$subnet_bits}")) { + if (is_ipaddrv4($gatewayip)) { + // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); + mwexec("/sbin/route change -host {$rgip} {$gatewayip}", true); + } + } + } + } else if (is_ipaddrv6($right_spec)) { + if (strpos($ph1ent['interface'], '_vip')) { + $vpninterface = explode('_vip', $ph1ent['interface']); + $ifacesuse = get_real_interface($vpninterface[0]); + } else { + $ifacesuse = get_failover_interface($ph1ent['interface']); + } + + if (!empty($ifacesuse) && interface_has_gateway($parentinterface)) { + $gatewayip = get_interface_gateway_v6($ifacesuse); + $interfaceip = get_interface_ipv6($ifacesuse); + $subnet_bits = get_interface_subnetv6($ifacesuse); + $subnet_ip = gen_subnetv6($interfaceip, $subnet_bits); + /* if the remote gateway is in the local subnet, then don't add a route */ + if (!ip_in_subnet($rgip, "{$subnet_ip}/{$subnet_bits}")) { + if (is_ipaddrv6($gatewayip)) { + // log_error("IPSEC interface is not WAN but {$parentinterface}, adding static route for VPN endpoint {$rgip} via {$gatewayip}"); + mwexec("/sbin/route change -inet6 -host {$rgip} {$gatewayip}", true); + } + } + } + } + } list ($myid_type, $myid_data) = ipsec_find_id($ph1ent, "local"); if ($myid_type == 'fqdn') |