diff options
author | Matt Smith <mgsmith@netgate.com> | 2014-08-08 17:09:37 -0500 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2014-08-08 17:09:37 -0500 |
commit | dc63467f3f8910f9cad7be877274ce939fb7ec4f (patch) | |
tree | 270bedae6e1420c170ea2d2aee9d3d20e41d0efd /etc | |
parent | 762e8cf91f9a1be21de47d97f2310ffe808a2f5e (diff) | |
download | pfsense-dc63467f3f8910f9cad7be877274ce939fb7ec4f.zip pfsense-dc63467f3f8910f9cad7be877274ce939fb7ec4f.tar.gz |
Fix #3798 - 'IPsec phase 2 pinghost is not used if the source IP should be a virtual IP address'
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/vpn.inc | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 607ec86..44ab33d 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -219,27 +219,39 @@ function vpn_ipsec_configure($ipchg = false) if ($ph2ent['pinghost']) { if (!is_array($iflist)) $iflist = get_configured_interface_list(); - foreach ($iflist as $ifent => $ifname) { - if(is_ipaddrv6($ph2ent['pinghost'])) { + $viplist = get_configured_vips_list(); + $srcip = null; + $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); + if(is_ipaddrv6($ph2ent['pinghost'])) { + foreach ($iflist as $ifent => $ifname) { $interface_ip = get_interface_ipv6($ifent); if(!is_ipaddrv6($interface_ip)) continue; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); if (ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; } - } else { + } + } else { + foreach ($iflist as $ifent => $ifname) { $interface_ip = get_interface_ip($ifent); if(!is_ipaddrv4($interface_ip)) continue; - $local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid'], true, $ph2ent['mode']); if ($local_subnet == "0.0.0.0/0" || ip_in_subnet($interface_ip, $local_subnet)) { $srcip = $interface_ip; break; } } } + /* if no valid src IP was found in configured interfaces, try the vips */ + if (is_null($srcip)) { + foreach ($viplist as $vip) { + if (ip_in_subnet($vip['ipaddr'], $local_subnet)) { + $srcip = $vip['ipaddr']; + break; + } + } + } $dstip = $ph2ent['pinghost']; if(is_ipaddrv6($dstip)) { $family = "inet6"; |