Regarding the issue with display of subnets on the index.cgi page, I think I have (in our case) narrowed it down to tunnels with multiple subents defined in a comma separated list. A tunnel with remote subnet "10.7.0.0/24,10.7.1.0/24" displayed on index.cgi as "10.7.0.0/3". When changed to "10.7.0.0/23", it displays properly on index.cgi. I suspect that the code to display the subnet pre-dates the change to allow multiple subnets in one tunnel and needs to be modified? I have opened bug 11604 for this issue. https://bugzilla.ipfire.org/show_bug.cgi?id=11604 Tom PS: My output below was wrong, the index.cgi page showed 10.253.0.0/3, not "10.6.0.0/3". I fixed that in the bug description. On 01/29/2018 12:26 PM, Tom Rymes wrote: >> Generally, it seems that quite some bugs are related to IPsec: For >> example, >> even though a N2N connection is using /24 remote networks, it says it >> uses >> a /3 (virtually _everything_) at the main WebUI page... > > We have around 20 tunnels between IPFire hosts, and I had never noticed > that before, but I just went and looked, and sure as ****, it's there. > Perhaps this is the source of the bugs saying that an address is part of > an existing IPSec scope? > > The index.cgi page shows: > > "tunnelname    10.6.1.0/3    CONNECTED" > > while the output of "ipsec status tunnelname" shows: > > Routed Connections: >       tunnelname{102}:  ROUTED, TUNNEL, reqid 17 >       tunnelname{102}:   10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24 > Security Associations (26 up, 0 connecting): >       tunnelname[348]: ESTABLISHED 119 seconds ago, x.x.x.x[C=US, > ST=NH, O=MyOrg, OU=Engineering Dept., > CN=host1.myorg.dom]...y.y.y.y[C=US, ST=NH, O=MyOrg - tunnelname, > OU=Engineering, CN=host2.myorg.dom] >       tunnelname{5022}:  INSTALLED, TUNNEL, reqid 17, ESP SPIs: > cdbada31_i c4e24e27_o, IPCOMP CPIs: 5431_i 6977_o >       tunnelname{5022}:   10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24 >       tunnelname{5023}:  INSTALLED, TUNNEL, reqid 17, ESP SPIs: > cfdce8b8_i c1d1780e_o, IPCOMP CPIs: 6d81_i cbd4_o >       tunnelname{5023}:   10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24