Bug 11131

Summary: The given subnet address is already used by an IPsec network
Product: IPFire Reporter: Heino Gutschmidt <heino.gutschmidt>
Component: ---Assignee: Alexander Marx <alexander.marx>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: - Unknown - CC: michael.tremer, peter.mueller, tomvend
Version: 2   
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=10923
Bug Depends on:    
Bug Blocks: 11618    
Attachments: patch for multiple ipsec subnets

Description Heino Gutschmidt 2016-05-31 08:51:20 UTC 
Created attachment 449 [details]
patch for multiple ipsec subnets

Overview:

GUI provides the error message "The given subnet address is already used by an IPsec network" if you have an active IPSec setup (static tunnels) and you try to setup static ip address pools for openVPN.

Steps to Reproduce:

Setup multiple IPSec remote subnets (e.g. 10.10.0.0/255.255.0.0,10.40.2.10/255.255.255.255,10.1.4.0/255.255.255.0) and try to add a static openVPN address pool (e.g. Test - 192.168.1.0/24)

Actual Results:

Error "The given subnet address is already used by an IPsec network"

Expected Results:

A new static openVPN address pool to add.

Build Date & Hardware:

IPFire 2.19 (x86_64) - Core Update 102 

Reason:

Multiple subnets are not handled correctly in /var/ipfire/general-functions.pl (starting at line 1140).

Solution:

See attached patch.
Comment 1 Alexander Marx 2016-06-02 14:50:59 UTC 
Hi
What exactly do you mean with "set up multiple remote subnets"?

I tried to add some ipsec net-to-net connections and then add an static ovpn subnet, which worked fine.
Comment 2 Alexander Marx 2016-06-02 16:44:26 UTC 
Thanks for sending the patch.

http://git.ipfire.org/?p=people/amarx/ipfire-2.x.git;a=commit;h=8276e4862542cd487607c3f2cb3db6f7318891d6

should fix it.
Comment 3 Tom Rymes 2016-09-26 19:38:13 UTC 
I am receiving a similar error when trying to add a network to "Firewall Groups". When adding a /27 network to Firewall groups, I get the error "The given subnet address is already used by an IPsec network. Name: MyTunnel" If I look up the configuration for "MyTunnel", the external IP for that tunnel is not within that range, but does start with the same number (first octet 64 instead of first octet 63 for the range I am adding), while the internal subnets for the tunnel are not at all similar (10.x.x.x) Any chance this is related before I go and open another bug?
Comment 4 Peter Müller 2017-11-08 17:47:46 UTC 
Is this bug still up to date? (Currently cleaning up the bug list... :-) )
Comment 5 Peter Müller 2017-11-08 18:08:14 UTC 
*** Bug 11429 has been marked as a duplicate of this bug. ***
Comment 6 Peter Müller 2017-11-24 20:11:30 UTC 
This issue can be reproduced here with Core Update 116.
Comment 7 Michael Tremer 2018-01-10 17:39:13 UTC 
(In reply to Peter Müller from comment #6)
> This issue can be reproduced here with Core Update 116.

Do you have this patch applied? https://cgit.ipfire.org/ipfire-2.x.git/commit/config/cfgroot/network-functions.pl?id=1047805dba564994a96da0adbfb6559a8609ec11
Comment 8 Peter Müller 2018-01-13 16:20:32 UTC 
(In reply to Michael Tremer from comment #7)
> (In reply to Peter Müller from comment #6)
> > This issue can be reproduced here with Core Update 116.
> 
> Do you have this patch applied?
> https://cgit.ipfire.org/ipfire-2.x.git/commit/config/cfgroot/network-
> functions.pl?id=1047805dba564994a96da0adbfb6559a8609ec11
Yes. However, is it possible that this bug is related to
https://bugzilla.ipfire.org/show_bug.cgi?id=10923 ? Sounds very similar...
Comment 9 Peter Müller 2018-08-06 22:36:46 UTC 
This has been fixed in Core Update 122.

https://www.ipfire.org/news/ipfire-2-21-core-update-122-released