Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'

author: Matt Smith <mgsmith@netgate.com> 2014-08-08 17:09:37 -0500
committer: Matt Smith <mgsmith@netgate.com> 2014-08-08 17:09:37 -0500
commit: dc63467f3f8910f9cad7be877274ce939fb7ec4f (patch)
tree: 270bedae6e1420c170ea2d2aee9d3d20e41d0efd /etc
parent: 762e8cf91f9a1be21de47d97f2310ffe808a2f5e (diff)
download: pfsense-dc63467f3f8910f9cad7be877274ce939fb7ec4f.zip
pfsense-dc63467f3f8910f9cad7be877274ce939fb7ec4f.tar.gz
1 files changed, 17 insertions, 5 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 607ec86..44ab33d 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -219,27 +219,39 @@ function vpn_ipsec_configure($ipchg = false)
 						if ($ph2ent['pinghost']) {
 							if (!is_array($iflist))
 								$iflist = get_configured_interface_list();
-							foreach ($iflist as $ifent => $ifname) {
-								if(is_ipaddrv6($ph2ent['pinghost'])) {
+							$viplist = get_configured_vips_list();
+							$srcip = null;
+							$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
+							if(is_ipaddrv6($ph2ent['pinghost'])) {
+								foreach ($iflist as $ifent => $ifname) {
 									$interface_ip = get_interface_ipv6($ifent);
 									if(!is_ipaddrv6($interface_ip))
 										continue;
-									$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
 									if (ip_in_subnet($interface_ip, $local_subnet)) {
 										$srcip = $interface_ip;
 										break;
 									}
-								} else {
+								}
+							} else {
+								foreach ($iflist as $ifent => $ifname) {
 									$interface_ip = get_interface_ip($ifent);
 									if(!is_ipaddrv4($interface_ip))
 										continue;
-									$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']);
 									if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) {
 										$srcip = $interface_ip;
 										break;
 									}
 								}
 							}
+							/* if no valid src IP was found in configured interfaces, try the vips */
+							if (is_null($srcip)) {
+								foreach ($viplist as $vip) {
+									if (ip_in_subnet($vip['ipaddr'], $local_subnet)) {
+										$srcip = $vip['ipaddr'];
+										break;
+									}
+								}
+							}
 							$dstip = $ph2ent['pinghost'];
 							if(is_ipaddrv6($dstip)) {
 								$family = "inet6";
author	Matt Smith <mgsmith@netgate.com>	2014-08-08 17:09:37 -0500
committer	Matt Smith <mgsmith@netgate.com>	2014-08-08 17:09:37 -0500
commit	dc63467f3f8910f9cad7be877274ce939fb7ec4f (patch)
tree	270bedae6e1420c170ea2d2aee9d3d20e41d0efd /etc
parent	762e8cf91f9a1be21de47d97f2310ffe808a2f5e (diff)
download	pfsense-dc63467f3f8910f9cad7be877274ce939fb7ec4f.zip pfsense-dc63467f3f8910f9cad7be877274ce939fb7ec4f.tar.gz