Regarding the issue with display of subnets on the index.cgi page, I think I have (in our case) narrowed it down to tunnels with multiple subents defined in a comma separated list.
A tunnel with remote subnet "10.7.0.0/24,10.7.1.0/24" displayed on index.cgi as "10.7.0.0/3". When changed to "10.7.0.0/23", it displays properly on index.cgi.
I suspect that the code to display the subnet pre-dates the change to allow multiple subnets in one tunnel and needs to be modified?
I have opened bug 11604 for this issue. https://bugzilla.ipfire.org/show_bug.cgi?id=11604
Tom
PS: My output below was wrong, the index.cgi page showed 10.253.0.0/3, not "10.6.0.0/3". I fixed that in the bug description.
On 01/29/2018 12:26 PM, Tom Rymes wrote:
Generally, it seems that quite some bugs are related to IPsec: For example, even though a N2N connection is using /24 remote networks, it says it uses a /3 (virtually _everything_) at the main WebUI page...
We have around 20 tunnels between IPFire hosts, and I had never noticed that before, but I just went and looked, and sure as ****, it's there. Perhaps this is the source of the bugs saying that an address is part of an existing IPSec scope?
The index.cgi page shows:
"tunnelname 10.6.1.0/3 CONNECTED"
while the output of "ipsec status tunnelname" shows:
Routed Connections: tunnelname{102}: ROUTED, TUNNEL, reqid 17 tunnelname{102}: 10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24 Security Associations (26 up, 0 connecting): tunnelname[348]: ESTABLISHED 119 seconds ago, x.x.x.x[C=US, ST=NH, O=MyOrg, OU=Engineering Dept., CN=host1.myorg.dom]...y.y.y.y[C=US, ST=NH, O=MyOrg - tunnelname, OU=Engineering, CN=host2.myorg.dom] tunnelname{5022}: INSTALLED, TUNNEL, reqid 17, ESP SPIs: cdbada31_i c4e24e27_o, IPCOMP CPIs: 5431_i 6977_o tunnelname{5022}: 10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24 tunnelname{5023}: INSTALLED, TUNNEL, reqid 17, ESP SPIs: cfdce8b8_i c1d1780e_o, IPCOMP CPIs: 6d81_i cbd4_o tunnelname{5023}: 10.254.0.0/23 === 10.253.1.0/24 10.253.2.0/24