[Openswan dev] Vigor 2500 v2.50 buglet in ip/mask processing
Paul Wouters
paul at xtdnet.nl
Thu Sep 30 17:47:07 CEST 2004
Vigor 2500 v2.50 buglet in ip/mask processing
When specifying a full internet address instead of using a 'zero' network
notation, despite a proper netmask which should ignore this last digit,
it breaks the IPsec connection.
So in a lan-to-lan profile at the "4.TCP/IP Network Settings" menu you
can not fill in:
My WAN IP 0.0.0.0
Remote Gateway IP 0.0.0.0
Remote Network IP 10.0.2.1
Remote Network Mask 255.255.255.0
but you can fill in:
My WAN IP 0.0.0.0
Remote Gateway IP 0.0.0.0
Remote Network IP 10.0.2.0
Remote Network Mask 255.255.255.0
Even though these two are the same from a topological point of view.
The symptoms make it rather confusing. In the first configuration, an
ipsec tunel will get established and immediately torn down, with a 'proper'
Notify Delete. This is not at all an easy to find bug, since technically,
specifying 10.0.2.1/24 is the same as 10.0.2.0/24
Suggested fix: zero out the filled in IP address according to the specifed
mask before further processing or storing, or the addition of scripting
in the webpages to disallow such specification.
Regards,
Paul
More information about the Dev
mailing list