From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tom Rymes <trymes@rymes.com>
To: development@lists.ipfire.org
Subject: Re: IPSec Roadwarrior Configuration
Date: Mon, 29 Jan 2018 12:50:04 -0500
Message-ID: <884f8e86-30ee-47d6-0ca4-4ce32ca56b66@rymes.com>
In-Reply-To: <3b16015a-cbc5-83a0-2d07-cf78b858000f@rymes.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7604806241386989814=="
List-Id: <development.lists.ipfire.org>

--===============7604806241386989814==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Regarding the issue with display of subnets on the index.cgi page, I=20
think I have (in our case) narrowed it down to tunnels with multiple=20
subents defined in a comma separated list.

A tunnel with remote subnet "10.7.0.0/24,10.7.1.0/24" displayed on=20
index.cgi as "10.7.0.0/3". When changed to "10.7.0.0/23", it displays=20
properly on index.cgi.

I suspect that the code to display the subnet pre-dates the change to=20
allow multiple subnets in one tunnel and needs to be modified?

I have opened bug 11604 for this issue.=20
https://bugzilla.ipfire.org/show_bug.cgi?id=3D11604

Tom

PS: My output below was wrong, the index.cgi page showed 10.253.0.0/3,=20
not "10.6.0.0/3". I fixed that in the bug description.

On 01/29/2018 12:26 PM, Tom Rymes wrote:

>> Generally, it seems that quite some bugs are related to IPsec: For=20
>> example,
>> even though a N2N connection is using /24 remote networks, it says it=20
>> uses
>> a /3 (virtually _everything_) at the main WebUI page...
>=20
> We have around 20 tunnels between IPFire hosts, and I had never noticed=20
> that before, but I just went and looked, and sure as ****, it's there.=20
> Perhaps this is the source of the bugs saying that an address is part of=20
> an existing IPSec scope?
>=20
> The index.cgi page shows:
>=20
> "tunnelname=C2=A0=C2=A0=C2=A0 10.6.1.0/3=C2=A0=C2=A0=C2=A0 CONNECTED"
>=20
> while the output of "ipsec status tunnelname" shows:
>=20
> Routed Connections:
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname{102}:=C2=A0 ROUTED, TUNNEL, reqi=
d 17
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname{102}:=C2=A0=C2=A0 10.254.0.0/23 =
=3D=3D=3D 10.253.1.0/24 10.253.2.0/24
> Security Associations (26 up, 0 connecting):
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname[348]: ESTABLISHED 119 seconds ag=
o, x.x.x.x[C=3DUS,=20
> ST=3DNH, O=3DMyOrg, OU=3DEngineering Dept.,=20
> CN=3Dhost1.myorg.dom]...y.y.y.y[C=3DUS, ST=3DNH, O=3DMyOrg - tunnelname,=20
> OU=3DEngineering, CN=3Dhost2.myorg.dom]
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname{5022}:=C2=A0 INSTALLED, TUNNEL, =
reqid 17, ESP SPIs:=20
> cdbada31_i c4e24e27_o, IPCOMP CPIs: 5431_i 6977_o
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname{5022}:=C2=A0=C2=A0 10.254.0.0/23=
 =3D=3D=3D 10.253.1.0/24 10.253.2.0/24
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname{5023}:=C2=A0 INSTALLED, TUNNEL, =
reqid 17, ESP SPIs:=20
> cfdce8b8_i c1d1780e_o, IPCOMP CPIs: 6d81_i cbd4_o
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tunnelname{5023}:=C2=A0=C2=A0 10.254.0.0/23=
 =3D=3D=3D 10.253.1.0/24 10.253.2.0/24


--===============7604806241386989814==--