Blank dropdown in IPsec tunnel

(Stéphane de Labrusse) #1

I’m evaluating VPN and what we can do to harden them.

I tested the IPSEC module, and I can see a blank drop down for the local IP field. Of course it is a test install and from base we have no red interface, so the code of the function return false for orange, green, blue interface.
It makes sense, but we could need an IPSEC tunnel with a NS installed behind a router with just one green NIC, or at least we must give a default output -> no red interface.

what do you think @davidep @giacomo

this is what I talk

Screenshot-2018-5-19 Example Org - IPsec tunnels
Screenshot-2018-5-19 Example Org - IPsec tunnels.png532x536 19.5 KB

(Giacomo Sanchietti) #2

IPSec and VPN tunnels are not designed to connect single hosts but for net2net configuration, this implies that we need two gateways on both ends.

I don’t even know if an IPSec tunnel could work to a single host.

Yes we could do it, I have nothing against it beside it needs more PHP code just for a cosmetic fix.
But if you want to try to implement, I’m pretty sure Davide will merge the PR :wink:

(Stéphane de Labrusse) #3

Maybe we just need a validator, if null then display a warning

 public function validate(\Nethgui\Controller\ValidationReportInterface $report)
    {
        if ( ! $this->getRequest()->isMutation()) {
            return;
        }
        elseif  ($this->parameters['left'] === NULL) {
            $report->addValidationErrorMessage($this, 'left', 'ExpectOneRedNic');
        }
        parent::validate($report);
    }

what do youthink

(Stéphane de Labrusse) #4

Yes, it is not implicit, but indeed the mandatory configuration is two NIC (one red and one green). See the fragment template error when I have just one red and no green.

 May 20 14:39:46 test esmith::event[14620]: ERROR in /etc/e-smith/templates//etc/ipsec.d/tunnels.conf/00template_vars: Program fragment delivered error <<Can't call method "prop" on an undefined value at /etc/e-s
mith/templates//etc/ipsec.d/tunnels.conf/00template_vars line 21.>> at template line 1
May 20 14:39:46 test esmith::event[14620]: ERROR: Template processing failed for //etc/ipsec.d/tunnels.conf: 1 fragment generated errors
May 20 14:39:46 test esmith::event[14620]: at /etc/e-smith/events/actions/generic_template_expand line 64.
May 20 14:39:46 test esmith::event[14620]: [WARNING] expansion of /etc/ipsec.d/tunnels.conf failed

Maybe this should be warned somewhere in the documentation.

(Giacomo Sanchietti) #5

I agree with you, I just approved the PRs.