Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incorrect <vpn_networks>and <negate_networks>tables?</negate_networks></vpn_networks>

    Scheduled Pinned Locked Moved
    2.4 Development Snapshots
    1
    1
    403
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • demD
      dem
      last edited by

      I’ve been playing around with outgoing IPsec with 2.4.0.b.20170418.0759 running in VirtualBox. I have a working IKEv2 with an IPv4 Tunnel and a defined but currently disabled IPv6 Tunnel. The remote side of the IPv4 Tunnel is defined as 0.0.0.0/0, and for the IPv6 Tunnel it’s ::/0.

      In /tmp/rules.debug I see that the <vpn_networks>and <negate_networks>tables look like this:

      table <vpn_networks> { ::/0 }
table <negate_networks> { ::/0 }</negate_networks></vpn_networks>

      The function filter_get_vpns_list() in filter.inc explicity excludes 0.0.0.0/0 but not ::/0. It also doesn’t take into account if a phase2 is disabled.

      On the other hand, I’m not sure how leaving <vpn_networks>empty will affect these rules from setting MSS clamping for IPsec:

      scrub from any to <vpn_networks> max-mss 1356
scrub from <vpn_networks> to any max-mss 1356</vpn_networks></vpn_networks>
```</vpn_networks></negate_networks></vpn_networks>
      1 Reply Last reply Reply Quote 0
      • First post
        Last post