In 21.1, you can only have a p-t-p connection between the hosts that connect to each other in a routed IPSec connection. But at least some clouds only allow /30 link networks.
Has that been made possible in 21.7? Is it planned?
Are you sure that is still a limitation on current 21.1.8?
Cheers,
Franco
Could you give an example of what isn't working? Which Cloud Provider etc.? I can at the very least report that routed S2S VPNs to an AWS VPC are possible with 20.7 (and i would assume that holds true for any version thereafter, too)
This is still a limitation on 21.1.8. You can only enter "Local Address" and "Remote Address", network masks are illegal.
An example for clouds that need this is alibaba. Which we are doing quite a lot of at the moment since Alibaba CEN is the only way to get to china with anything like acceptable performance.
Isn't that what "Network" type is for?
Cheers,
Franco
I don't know what you mean by that, if I select mode "Route Based" in Phase 2, I can not see any "Network" type.
Ah ok, route based. I missed this.
The subnet size is calculated from the local-remote IP distance. For 10.1.1.1 to 10.1.1.2 that is a /30...
Cheers,
Franco
Ok thanks, I'll try that. Perhaps it would be useful to add that to the help.
Quote from: franco on July 14, 2021, 03:26:20 PM
Ah ok, route based. I missed this.
The subnet size is calculated from the local-remote IP distance. For 10.1.1.1 to 10.1.1.2 that is a /30...
Cheers,
Franco
also: if this distance is bigger than 32, it doesn't work.
10.10.11.1 - 10.10.11.20 is OK
10.10.11.20 - 10.10.11.50 is OK
10.10.11.20 - 10.10.11.60 is not working
I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?
https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871
It looks a bit suspicious.
Cheers,
Franco
In my opinion it would be preferable to explicitly configure this.
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
It is. I am not that great a programmer but I know networking.
The calculation for IPv4 fundamentally makes sense, but needs to be changed from a difference to the 2log of the same, rounded down plus 1 - probably. I don't know if there are convenient functions for bit arithmetic that avoid floating point calculations. As I said, not that much of a PHP guru.
Plus the prefix length should be /64 for all IPv6 connections unless explicitly configured differently by the admin.
One does not simply use subnets in IPv6. ;)
Kind regards,
Patrick
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
It feels like my replies and questions are mostly being ignored. :P
Quote from: franco on July 22, 2021, 07:41:35 PM
I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?
https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871
It looks a bit suspicious.
Quote from: franco on July 26, 2021, 01:34:46 PM
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
It feels like my replies and questions are mostly being ignored. :P
Quote from: franco on July 22, 2021, 07:41:35 PM
I was wondering why this wasn't adjusted for nearest power of 2 what it should probably have been?
https://github.com/opnsense/core/blob/1aeb52063159df6da3546d132a765557e6a96a6d/src/etc/inc/plugins.inc.d/ipsec.inc#L1871
It looks a bit suspicious.
I did read that, but maybe I misunderstood in that it not only has to be adjusted to a nearest power of 2 but also the logarithm needs to be taken.
Anyway, I think the whole idea of calculating this is wrong, it should instead be explicitly specified by the user. What if I have a bigger link network where I want to use adjacent addresses anyway?
Quote from: pmhausen on July 26, 2021, 01:26:12 PM
Quote from: bimbar on July 26, 2021, 01:03:03 PM
Also, in your link, shouldn't there be a logarithm somewhere in there? It looks wrong.
It is. I am not that great a programmer but I know networking.
The calculation for IPv4 fundamentally makes sense, but needs to be changed from a difference to the 2log of the same, rounded down plus 1 - probably. I don't know if there are convenient functions for bit arithmetic that avoid floating point calculations. As I said, not that much of a PHP guru.
Plus the prefix length should be /64 for all IPv6 connections unless explicitly configured differently by the admin.
One does not simply use subnets in IPv6. ;)
Kind regards,
Patrick
For IPv6, /127 is not that uncommon.
For IPv4, how would the algorithm decide whether you want to do /31 or /30?
Quote from: bimbar on July 26, 2021, 02:40:45 PM
For IPv6, /127 is not that uncommon.
That's why I wrote "unless configured differently".
Quote from: bimbar on July 26, 2021, 02:40:45 PM
For IPv4, how would the algorithm decide whether you want to do /31 or /30?
By applying the dual logarithm to the difference between both addresses? What if I am using a /24? There are more options than /31 or /30 ...
Quote from: pmhausen on July 26, 2021, 02:52:14 PM
Quote from: bimbar on July 26, 2021, 02:40:45 PM
For IPv6, /127 is not that uncommon.
That's why I wrote "unless configured differently".
Quote from: bimbar on July 26, 2021, 02:40:45 PM
For IPv4, how would the algorithm decide whether you want to do /31 or /30?
By applying the dual logarithm to the difference between both addresses? What if I am using a /24? There are more options than /31 or /30 ...
Yes, but, what if I have two adjacent IP addresses? Do I want the full /30 or just the /31, both is perfectly reasonable.
Ah, now I got your point. Again: configuration by admin. Only reasonable solution, IMHO.
Are these P2P links? In that case you could even re-use your Ethernet's address with a /32 on each side.
I have only run policy based IPsec so far, so I lack experience with that particular setup.
Quote from: pmhausen on July 26, 2021, 04:59:21 PM
Ah, now I got your point. Again: configuration by admin. Only reasonable solution, IMHO.
Are these P2P links? In that case you could even re-use your Ethernet's address with a /32 on each side.
I have only run policy based IPsec so far, so I lack experience with that particular setup.
It usually is a link network, I do not know if p-t-p is also possible.
Should I submit a bug report about this or is this now scheduled to be fixed?