Bug 11131 - The given subnet address is already used by an IPsec network
Summary: The given subnet address is already used by an IPsec network
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: - Unknown - Minor Usability
Assignee: Alexander Marx
QA Contact:
URL:
Keywords:
: 11429 (view as bug list)
Depends on:
Blocks: IPSECBUGS
  Show dependency treegraph
 
Reported: 2016-05-31 08:51 UTC by Heino Gutschmidt
Modified: 2018-08-06 22:36 UTC (History)
3 users (show)

See Also:


Attachments
patch for multiple ipsec subnets (1.66 KB, patch)
2016-05-31 08:51 UTC, Heino Gutschmidt
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Heino Gutschmidt 2016-05-31 08:51:20 UTC
Created attachment 449 [details]
patch for multiple ipsec subnets

Overview:

GUI provides the error message "The given subnet address is already used by an IPsec network" if you have an active IPSec setup (static tunnels) and you try to setup static ip address pools for openVPN.

Steps to Reproduce:

Setup multiple IPSec remote subnets (e.g. 10.10.0.0/255.255.0.0,10.40.2.10/255.255.255.255,10.1.4.0/255.255.255.0) and try to add a static openVPN address pool (e.g. Test - 192.168.1.0/24)

Actual Results:

Error "The given subnet address is already used by an IPsec network"

Expected Results:

A new static openVPN address pool to add.

Build Date & Hardware:

IPFire 2.19 (x86_64) - Core Update 102 

Reason:

Multiple subnets are not handled correctly in /var/ipfire/general-functions.pl (starting at line 1140).

Solution:

See attached patch.
Comment 1 Alexander Marx 2016-06-02 14:50:59 UTC
Hi
What exactly do you mean with "set up multiple remote subnets"?

I tried to add some ipsec net-to-net connections and then add an static ovpn subnet, which worked fine.
Comment 2 Alexander Marx 2016-06-02 16:44:26 UTC
Thanks for sending the patch.

http://git.ipfire.org/?p=people/amarx/ipfire-2.x.git;a=commit;h=8276e4862542cd487607c3f2cb3db6f7318891d6

should fix it.
Comment 3 Tom Rymes 2016-09-26 19:38:13 UTC
I am receiving a similar error when trying to add a network to "Firewall Groups". When adding a /27 network to Firewall groups, I get the error "The given subnet address is already used by an IPsec network. Name: MyTunnel" If I look up the configuration for "MyTunnel", the external IP for that tunnel is not within that range, but does start with the same number (first octet 64 instead of first octet 63 for the range I am adding), while the internal subnets for the tunnel are not at all similar (10.x.x.x) Any chance this is related before I go and open another bug?
Comment 4 Peter Müller 2017-11-08 17:47:46 UTC
Is this bug still up to date? (Currently cleaning up the bug list... :-) )
Comment 5 Peter Müller 2017-11-08 18:08:14 UTC
*** Bug 11429 has been marked as a duplicate of this bug. ***
Comment 6 Peter Müller 2017-11-24 20:11:30 UTC
This issue can be reproduced here with Core Update 116.
Comment 7 Michael Tremer 2018-01-10 17:39:13 UTC
(In reply to Peter Müller from comment #6)
> This issue can be reproduced here with Core Update 116.

Do you have this patch applied? https://cgit.ipfire.org/ipfire-2.x.git/commit/config/cfgroot/network-functions.pl?id=1047805dba564994a96da0adbfb6559a8609ec11
Comment 8 Peter Müller 2018-01-13 16:20:32 UTC
(In reply to Michael Tremer from comment #7)
> (In reply to Peter Müller from comment #6)
> > This issue can be reproduced here with Core Update 116.
> 
> Do you have this patch applied?
> https://cgit.ipfire.org/ipfire-2.x.git/commit/config/cfgroot/network-
> functions.pl?id=1047805dba564994a96da0adbfb6559a8609ec11
Yes. However, is it possible that this bug is related to
https://bugzilla.ipfire.org/show_bug.cgi?id=10923 ? Sounds very similar...
Comment 9 Peter Müller 2018-08-06 22:36:46 UTC
This has been fixed in Core Update 122.

https://www.ipfire.org/news/ipfire-2-21-core-update-122-released