ipsec validation for remote gateway #382
Comments
|
Hey! Thanks for reporting. I don't recall the exact reason for that validation constraint. Probably just an oversight, or it may have been a safety check used to remain compatible with older versions of pfSense at the time. Either way, you're correct this does not appear to be a necessary constraint in the versions of pfSense supported currently. I'll have a fix for this in the next patch. Thanks! |
jaredhendrickson13
added
bug
|
Hi @jaredhendrickson13, thanks a lot for the fast feedback. Would you prefere a PR next time? Do you see somethink like that as patch, minor or major? A PR for #250 would be in the area of major? |
|
PRs are definitely welcome! This issue I would consider a patch because it doesn't really introduce anything new to the API, it adjusts existing functionality. #250 I would consider a minor change because it introduces a new feature to the API that is not currently in v1.6.x. |
Describe the bug
Currently the API validate the "remote gateway" in correlation to "internet protocol" (fqdn is only allowed if both protocols are enabled, error 2169).
pfsense-api/pfSense-pkg-API/files/etc/inc/api/models/APIServicesIPsecPhase1Update.inc
Line 248 in a2d0d3c
What is the motivation for this validation? In my view pfsense does not have such a limitation.
I have many ipsec vpns running with fqdn as remote gateway and only ip4 as internet protocol.
To Reproduce
`
IKEU="{"ikeid":"1","iketype":"ikev2","interface":"wan","remote-gateway":"remote.mydom.com","protocol":"inet","myid_type":"asn1dn","myid_data":"CN=myid.mydom.com","peerid_type":"asn1dn","peerid_data":"CN=remote.mydom.com","encryption":{"item":[{"encryption-algorithm":{"name":"aes256gcm","keylen":"128"},"hash-algorithm":"sha512","prf-algorithm":"sha1","dhgroup":"16"}]},"lifetime":"28800","rekey_time":"","reauth_time":"","rand_time":"","pre-shared-key":"","private-key":"","certref":"61c2d5e94e2a1","pkcs11certref":"","pkcs11pin":"","caref":"5d2f68c93892b","authentication_method":"cert","descr":"my - remote","nat_traversal":"on","mobike":"off","startaction":"","closeaction":"","dpd_delay":"10","dpd_maxfail":"5"}"
curl -s -H "Authorization: Bearer ${JWT}" -X PUT -d "${IKEU}" "${PFSENSE_URL}/api/v1/services/ipsec/phase1"
{"status":"bad request","code":400,"return":2169,"message":"IPsec remote gateway cannot be a hostname unless protocol is set to 'both'","data":[]}
`
Expected behavior
Update the phase 1 object remote gateway independent of the protocol setting.
Screenshots or Response
na
pfSense Version & Package Version:
Affected Endpoints:
Additional context
The text was updated successfully, but these errors were encountered: