Broken spd.conf file on systems with only a WAN



  • I've been troubleshooting an IPSec tunnel the last few days and i finally figured out what was keeping my SPD entries from showing up.

    Someone else found this before, noted here: http://forum.pfsense.org/index.php/topic,18508.0.html but didn't dig into why exactly a LAN interface was required.

    on line 746 of /etc/inc/vpn.inc there's the following comment and code:

                            /* What are these SPD entries for?
                             * -mgrooms 07/10/2008
                             */
                            $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
                            $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
    

    …which causes invalid entries to be added to the beginning of /var/etc/spd.conf
    The result? setkey errors out and no SPD entries get added at all.

    Does anyone know why those are in there at all?



  • Those are supposed to prevent you from loosing access to web interface from lan in any case.
    Though i will make sure they get added only when lan is present.


Log in to reply