Selection of Carp Adresses in ipsec #3732
Comments
AdSchellevis
added
incomplete
|
I have got the same problem here. Multiple virtual WAN addresses but can only choose one WAN address in ipsec phase 1 definition. |
|
Whta can i do, to complete the issue? |
|
Screenshot would be a good start. Today I helped a customer with latest 19.7.5_5 and around 20 CARP aliases where everyone was selectable ... |
|
I am on 19.7.6 and having a similar issue. But since running IPv6 configuration, I can confirm that with IPv6, the expected behavior works. All IPv6 CARP addresses get listed. Just IPv4 CARP adresses are missing. Here a list what is listed and selectable:
Not listed:
Not even one IPv4 CARP adress is listed.
|
|
Same interface and same That would be the only thing I can think of looking at the code. Line 866 in b2560c6 ^^ can't cope with overlap |
|
Hi,
yes ipv6 and ipv4 use same VHID per interface.
Kind regards,
Kimotu Bates
Ad Schellevis <notifications@github.com> schrieb am Fr., 22. Nov. 2019,
18:33:
… Same interface and same vhid used multiple times? (for the missing ones)
That would be the only thing I can think of looking at the code.
https://github.com/opnsense/core/blob/b2560c6eb46e2739a33c8e761db2b9efe541b776/src/etc/inc/util.inc#L866
^^ can't cope with overlap
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3732?email_source=notifications&email_token=AK2JL6TJMUNA6O243CCZMUTQVAJVNA5CNFSM4I3O4QV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEE6KL3Y#issuecomment-557622767>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AK2JL6VDA76IG2TZVP7VJGDQVAJVNANCNFSM4I3O4QVQ>
.
|
|
ok we need to check the callers of |
|
There won't be an easy fix for this without breaking existing configurations or needing changes to existing setups. Since the schema Marked the ticket as cleanup for now, it's an omission in the system, a workaround could be to use separate vhid's in cases you want to use them for binding. |
|
looking at the validations again, you shouldn't be allowed to add more than one carp vhid on an interface. 754d483 Intended use is to use aliases for the non-primary one (which also prevents trying to set the password several times on the same interface). |
|
Within the same address family, I do use ip aliases. One ipv4 carp, rest
aliases. But I don't see an ipv6 address as alias for an ipv4 address.
Although the carp mechanism differs. Ipv6 uses protocol 112, ipv4 multicast.
Kind regards,
Kimotu Bates
Ad Schellevis <notifications@github.com> schrieb am Sa., 23. Nov. 2019,
10:08:
… looking at the validations again, you shouldn't be allowed to add more
than one carp vhid on an interface. 754d483
<754d483>
Intended use is to use aliases for the non-primary one (which also prevents
trying to set the password several times on the same interface).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3732?email_source=notifications&email_token=AK2JL6RCVQTTWJCRGMLHXODQVDXHJA5CNFSM4I3O4QV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEE7Q56A#issuecomment-557780728>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AK2JL6U5IPFB22KPW4IMV7DQVDXHJANCNFSM4I3O4QVQ>
.
|
|
since the internal key is per interface+vhid it won't support overlap, the previous bug (754d483) allowed such entries to be made. Changing this would probably mean to support ip aliases with a vhid in these selections and add some sort of key to identify them, but unfortunately this probably involves quite some work to fix a pattern that's already quite flawed (mixing interfaces and addresses). |
(cherry picked from commit bbb4d90)
|
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[+] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[+] I have searched the existing issues and I'm convinced that mine is new.
Describe the bug
If there are more than one CARP IPs defined, the selection box for the ipsec phase 1 interface
only lists the last entry of CARP IPs for that Interface. The other IPs are not in the list.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
All Carp IPs are in the list and selectable
Screenshots
Relevant log files
Additional context
A VPN use an virtual IP as VPN interface.
I have defined for the WAN interface multiple virtual IPs.
The IP written in /usr/local/etc/ipsec.conf is the last defined virtual WAN IP in Firewall -> Virtual IP -> Settings (not that one display in VPN->IPsec->Tunnel Settings->Phase 1)
It’s mandatory that we can choose in VPN settings every virtual IP defined and not randomly one from WAN interface
Path to file
/vpn_ipsec_phase1.php?p1 (URL)
/usr/local/etc/ipsec.conf (File path)
Environment
OPNsense 19.7.4_1 (amd64, LibreSSL)
The text was updated successfully, but these errors were encountered: