SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
|Anonymous | Login||2020-01-21 03:16 UTC|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001424||Endian Firewall||Network related (VPN, uplinks)||public||2008-11-05 13:40||2010-05-26 17:09|
|Target Version||2.4||Fixed in Version|
|Summary||0001424: IPsec VPN, Local VPN hostname/IP parameter added in ipsec.conf is random|
|Description||Then I try to specify it as name/IP - after click on "Save" - "Local VPN hostname/IP" field content changes to some name desired by GUI itself (it can be full hostname or alias). This can cause a serious problem in future IPsec topology definition.|
I found temporary solution: If I need to declare an IP instead of name, I entering IP, click on "Save" - after that IP changed to some hostname, but I ignoring that, and just checking the ipsec.conf in server. Should be OK until next "Save" :).
|Tags||ipsec hostname vpn|
the GUI uses the hostname of the main of the uplink which is currently online.
I think that's ok, but maybe it should not overwrite custom configuration when saving
This is not good behaviour. Because:
1. If I use internal DNS server, and configure it in Endian Firewall, hostname of uplink inside LAN can be different from hostname visible to the internet. I have exact this situation.
2. Anyway administrator/human should take 100% control on this parameter if it needs.
Initially I put the public IP of our side in that "Local VPN hostname/IP" field.
If then I change something and I click on "Save", ipsec.conf gets overwritten with the FQDN Hostname. In tat case VPN isn't working anymore. Pluto complains about: "We cannot identify ourselves with either end of this connection."
I have then to replace the hostname with the IP of tha mail uplink, like skrew explained above.
This bug is also presend in the actual 2.2.1 commercial version.
edited on: 2009-03-28 11:26
When reloading /cgi-bin/vpnmain.cgi, vpnmain.cgi rewrites VPN_IP Field (Local VPN hostname/IP) with the hostname resolved by DNS PTR-Record. VPN_IP is used later by the ipsec.conf.tmpl to fill two fields in ipsec.conf: left and leftid. There is no problem with "left", as long as DNS forward lookup resolves back to the ip.
But if not it leads to problems. One have to check that A and PTR resolves to same host. PTR is set by the ISP. One can then set the A record to that name. It is also sufficient to set it up on the firewall.
Regarding "leftid" it depends on what kind of ipsec authentication one use. In case of x509 peers are identified by certificats, but if using PSK leftid is used.
Leftid cannot then be arbitrarily changed. Usually one defines leftid to be IPV4 adress.
|I have this exact problem as reported by jzdrzalek and it is preventing me from using ipsec. I normally use OpenVPN but in this case need to use ipsec to connect to a Draytek. I want to keep it simple and use a PSK as it is only a Net to Net connection but the endian keeps using the DNS PTR record supplied by the ISP and this will not resolve using DNS so the left ID is invalid!! Surely it is a fairly simple fix to the GUI so that we can actually enter what we want into this field.|
|2008-11-05 13:40||skrew||New Issue|
|2008-11-05 13:40||skrew||Assigned To||=> peter-endian|
|2008-11-05 13:41||skrew||Tag Attached: ipsec hostname vpn|
|2008-11-05 14:13||peter-endian||Note Added: 0001773|
|2008-11-05 14:18||skrew||Note Added: 0001774|
|2008-11-05 16:32||peter-endian||Status||new => acknowledged|
|2008-11-05 16:33||peter-endian||Target Version||=> future|
|2009-03-27 07:33||jzdrzalek||Note Added: 0002087|
|2009-03-28 11:24||jzdrzalek||Note Added: 0002089|
|2009-03-28 11:26||jzdrzalek||Note Edited: 0002089|
|2009-05-07 16:49||kevsworld||Note Added: 0002300|
|2009-06-10 13:11||peter-endian||Relationship added||child of 0001935|
|2010-01-21 18:03||peter-endian||Target Version||future => codename: angry armadillo|
|2010-05-26 17:09||christian-endian||Status||acknowledged => closed|
|2010-05-26 17:09||christian-endian||Resolution||open => fixed|
|Copyright © 2000 - 2012 MantisBT Group|