SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001424: IPsec VPN, Local VPN hostname/IP parameter added in ipsec.conf is random - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001424Endian FirewallNetwork related (VPN, uplinks)public2008-11-05 13:402010-05-26 17:09
Reporterskrew 
Assigned Topeter-endian 
PrioritynormalSeveritytrivialReproducibilityrandom
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2-rc3 
Target Version2.4Fixed in Version 
Summary0001424: IPsec VPN, Local VPN hostname/IP parameter added in ipsec.conf is random
DescriptionThen I try to specify it as name/IP - after click on "Save" - "Local VPN hostname/IP" field content changes to some name desired by GUI itself (it can be full hostname or alias). This can cause a serious problem in future IPsec topology definition.
I found temporary solution: If I need to declare an IP instead of name, I entering IP, click on "Save" - after that IP changed to some hostname, but I ignoring that, and just checking the ipsec.conf in server. Should be OK until next "Save" :).
Tagsipsec hostname vpn
Attached Files

- Relationships
child of 0001935confirmedpeter-endian issues to fix with ipsec (openswan) 

-  Notes
(0001773)
peter-endian (administrator)
2008-11-05 14:13

the GUI uses the hostname of the main of the uplink which is currently online.

I think that's ok, but maybe it should not overwrite custom configuration when saving
(0001774)
skrew (reporter)
2008-11-05 14:18

This is not good behaviour. Because:
1. If I use internal DNS server, and configure it in Endian Firewall, hostname of uplink inside LAN can be different from hostname visible to the internet. I have exact this situation.
2. Anyway administrator/human should take 100% control on this parameter if it needs.
(0002087)
jzdrzalek (reporter)
2009-03-27 07:33

Initially I put the public IP of our side in that "Local VPN hostname/IP" field.
If then I change something and I click on "Save", ipsec.conf gets overwritten with the FQDN Hostname. In tat case VPN isn't working anymore. Pluto complains about: "We cannot identify ourselves with either end of this connection."

I have then to replace the hostname with the IP of tha mail uplink, like skrew explained above.

This bug is also presend in the actual 2.2.1 commercial version.
(0002089)
jzdrzalek (reporter)
2009-03-28 11:24
edited on: 2009-03-28 11:26

When reloading /cgi-bin/vpnmain.cgi, vpnmain.cgi rewrites VPN_IP Field (Local VPN hostname/IP) with the hostname resolved by DNS PTR-Record. VPN_IP is used later by the ipsec.conf.tmpl to fill two fields in ipsec.conf: left and leftid. There is no problem with "left", as long as DNS forward lookup resolves back to the ip.
But if not it leads to problems. One have to check that A and PTR resolves to same host. PTR is set by the ISP. One can then set the A record to that name. It is also sufficient to set it up on the firewall.
Regarding "leftid" it depends on what kind of ipsec authentication one use. In case of x509 peers are identified by certificats, but if using PSK leftid is used.
Leftid cannot then be arbitrarily changed. Usually one defines leftid to be IPV4 adress.

(0002300)
kevsworld (reporter)
2009-05-07 16:49

I have this exact problem as reported by jzdrzalek and it is preventing me from using ipsec. I normally use OpenVPN but in this case need to use ipsec to connect to a Draytek. I want to keep it simple and use a PSK as it is only a Net to Net connection but the endian keeps using the DNS PTR record supplied by the ISP and this will not resolve using DNS so the left ID is invalid!! Surely it is a fairly simple fix to the GUI so that we can actually enter what we want into this field.

- Issue History
Date Modified Username Field Change
2008-11-05 13:40 skrew New Issue
2008-11-05 13:40 skrew Assigned To => peter-endian
2008-11-05 13:41 skrew Tag Attached: ipsec hostname vpn
2008-11-05 14:13 peter-endian Note Added: 0001773
2008-11-05 14:18 skrew Note Added: 0001774
2008-11-05 16:32 peter-endian Status new => acknowledged
2008-11-05 16:33 peter-endian Target Version => future
2009-03-27 07:33 jzdrzalek Note Added: 0002087
2009-03-28 11:24 jzdrzalek Note Added: 0002089
2009-03-28 11:26 jzdrzalek Note Edited: 0002089
2009-05-07 16:49 kevsworld Note Added: 0002300
2009-06-10 13:11 peter-endian Relationship added child of 0001935
2010-01-21 18:03 peter-endian Target Version future => codename: angry armadillo
2010-05-26 17:09 christian-endian Status acknowledged => closed
2010-05-26 17:09 christian-endian Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker