[Openswan dev] Vigor 2500 v2.50 buglet in ip/mask processing

Paul Wouters paul at xtdnet.nl
Thu Sep 30 17:47:07 CEST 2004


Vigor 2500 v2.50 buglet in ip/mask processing

When specifying a full internet address instead of using a 'zero' network
notation, despite a proper netmask which should ignore this last digit,
it breaks the IPsec connection.

So in a lan-to-lan profile at the "4.TCP/IP Network Settings" menu you
can not fill in:

My WAN IP		0.0.0.0
Remote Gateway IP	0.0.0.0
Remote Network IP	10.0.2.1
Remote Network Mask	255.255.255.0

but you can fill in:

My WAN IP		0.0.0.0
Remote Gateway IP	0.0.0.0
Remote Network IP	10.0.2.0
Remote Network Mask	255.255.255.0

Even though these two are the same from a topological point of view.
The symptoms make it rather confusing. In the first configuration, an
ipsec tunel will get established and immediately torn down, with a 'proper'
Notify Delete. This is not at all an easy to find bug, since technically,
specifying 10.0.2.1/24 is the same as 10.0.2.0/24

Suggested fix: zero out the filled in IP address according to the specifed
mask before further processing or storing, or the addition of scripting
in the webpages to disallow such specification.

Regards,

Paul



More information about the Dev mailing list