Only set route-to and reply-to on ESP and ISAKMP rules if the remote endpoint is not within the parent interface's subnet. Ticket #4157

1 files changed, 18 insertions, 12 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 1f94ce5..0707d36 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -3694,21 +3694,27 @@ function filter_generate_ipsec_rules($log = array()) {
 			}
 
 			unset($gateway);
-			/* add endpoint routes to correct gateway on interface */
+			/* add endpoint routes to correct gateway on interface if the
+			remote endpoint is not on this interface's subnet  */
 			if((is_ipaddrv4($rgip)) && (interface_has_gateway($parentinterface))) {
-				$gateway = get_interface_gateway($parentinterface);
-				$interface = $FilterIflist[$parentinterface]['if'];
-
-				$route_to = " route-to ( $interface $gateway ) ";
-				$reply_to = " reply-to ( $interface $gateway ) ";
-
+				$parentifsubnet = get_interface_ip($parentinterface) . "/" . get_interface_subnet($parentinterface);
+				if (!ip_in_subnet($rgip, $parentifsubnet)) {
+					$gateway = get_interface_gateway($parentinterface);
+					$interface = $FilterIflist[$parentinterface]['if'];
+	
+					$route_to = " route-to ( $interface $gateway ) ";
+					$reply_to = " reply-to ( $interface $gateway ) ";	
+				}
 			}
 			if((is_ipaddrv6($rgip)) && (interface_has_gatewayv6($parentinterface))) {
-				$gateway = get_interface_gateway_v6($parentinterface);
-				$interface = $FilterIflist[$parentinterface]['if'];
-
-				$route_to = " route-to ( $interface $gateway ) ";
-				$reply_to = " reply-to ( $interface $gateway ) ";
+				$parentifsubnet = get_interface_ipv6($parentinterface) . "/" . get_interface_subnetv6($parentinterface);
+				if (!ip_in_subnet($rgip, $parentifsubnet)) {
+					$gateway = get_interface_gateway_v6($parentinterface);
+					$interface = $FilterIflist[$parentinterface]['if'];
+	
+					$route_to = " route-to ( $interface $gateway ) ";
+					$reply_to = " reply-to ( $interface $gateway ) ";
+				}
 			}
 
 			/* Just in case */