Enhancement #3326
ipsec tunnels firewall to firewall
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-ipsec | |||
| Target version: | v6.7 | |||
| Resolution: | NEEDINFO: | No |
Description
ipsec tunnels connect local and remote lan, but not local and remote firewalls, i.e. system in both lan can talk, but trying to ping the remote firewall will fail.
Usually, the workaround is to create another tunnel between the firewalls.
A better option is to use the leftsourceip field in ipsec.conf.
Associated revisions
IPSec tunnels: automatically set leftsourceip. Refs #3326
db: migrate %left from ip to ethernet name. Refs #3326
Web UI: use interfaces for %left field. Refs #3326
Web UI: allow %any value for %right field. Refs #3326
Updated translation label and online help. Refs #3326
IpsecTunnels UI: generate default identifier if field is empty. Refs #3326
IPsec tunnels %any. Refs #3326
Support for %any in Remote IP field [italiano]
History
#1
Updated by Filippo Carletti over 5 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#2
Updated by Filippo Carletti over 5 years ago
leftsourceip should be set to the firewall ip address contained in the first local subnet.
No other option is needed.
Pseudo code:
for each $myips
if $myip is in $leftsubnet then $leftsourceip=$myip
#3
Updated by Giacomo Sanchietti over 5 years ago
- Category set to nethserver-ipsec
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4
Updated by Giacomo Sanchietti over 5 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5
Updated by Giacomo Sanchietti over 5 years ago
We can improve the web interface by allowing the user to choose any type of network interface for the "Local IP" field.
The list should also include red interfaces configured with DHCP.
Also allow the %any value for %right field to enable creation of tunnels with hosts behind NAT.
#6
Updated by Giacomo Sanchietti over 5 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-ipsec-1.1.2-1.6.geb3e0f6.ns6.noarch.rpm
- Create a tunnel between two firewalls
- Check each firewall can ping each other
- Create a tunnel before then upgrade the package
- Check the tunnel is still working
- Try to create a tunnel with a firewall behind NAT
- Set
%anyas "Remote IP" - Make sure the field allows only IP or
%anyvalue - If the value is
%anythe web interface must enforce to set a valid "Remote identifier" and "Local identifier", both must start with@character
#7
Updated by Davide Principi over 5 years ago
- Assignee set to Davide Principi
#8
Updated by Giovanni Bezicheri over 5 years ago
- Assignee changed from Davide Principi to Giovanni Bezicheri
#9
Updated by Giovanni Bezicheri over 5 years ago
- Assignee deleted (
Giovanni Bezicheri)
#10
Updated by Davide Principi over 5 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
System and Package Version installed
Package Installed: nethserver-ipsec-1.1.2-1.ns6.noarch
Test Original Problem
A tunnel endpoint cannot ping the private IP of the other side
Install Updated Package
yum --enablerepo=nethserver-testing update nethserver-ipsec-1.1.2-1.6.geb3e0f6.ns6.noarchTest Results after update
- After updating to the modified version an endpoint can ping the private IP address of the other endpoint (test case 1)
- Other hosts in private (green) networks are reachable (test case 2)
- The
%anyvalue asRemote IPrequires the@form, thought the validator message is not translated correctly:Remote identifier id_notempty
- The connection successfully started from the host behind NAT, where the remote IP was given explicitly (test case 3)
- If the
Local identifierfield is empty, thenethserver-ipsec-idsaction assign%ethXautomatically, which is a non-IP and non-@prefix value
Verified Or Reopen
REOPEN, fix nethserver-ipsec-ids action, by moving the set_prop() call in the UI code.
Actions should not change the DB!
Notes
(Test case 3) on the endpoint where %any was specified the following log line appeared, as expected
Nov 27 17:05:02 firewall pluto[29185]: "nh-ran_ipsec-tunnel/1x1": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
- Update the administrator manual
- Fixed the validator label
#11
Updated by Giacomo Sanchietti over 5 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#12
Updated by Davide Principi over 5 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case 4
If local or remote identifier field is empty, check the value displayed by the field watermark is assigned when the record is saved.
Accepted must be- IP address
- hostname with
@prefix
#13
Updated by Davide Principi over 5 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing
nethserver-ipsec-1.1.2-1.9.ge9548d0.ns6.noarch.rpm
Admin's manual PR:
https://github.com/NethServer/nethserver-docs/pull/88
https://github.com/NethServer/nethserver-docs/pull/89
#14
Updated by Giacomo Sanchietti over 5 years ago
- Assignee set to Giacomo Sanchietti
#15
Updated by Giacomo Sanchietti over 5 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
Test case 4 verified.
#16
Updated by Giacomo Sanchietti over 5 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-ipsec-1.1.3-1.ns6.noarch.rpm