From 6c3be3650008801aaa1579dca67b0588c04b8e18 Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Thu, 6 Nov 2014 16:36:35 -0600
Subject: [PATCH] Don't allow P2 local+remote network combinations that overlap
 with interface+remote-gateway of the P1. Fixes #3812

---
 usr/local/www/vpn_ipsec_phase2.php | 44 ++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php
index 461a7086c..c8f4684ed 100644
--- a/usr/local/www/vpn_ipsec_phase2.php
+++ b/usr/local/www/vpn_ipsec_phase2.php
@@ -46,9 +46,13 @@ if (!is_array($config['ipsec']['client']))
 
 $a_client = &$config['ipsec']['client'];
 
+if (!is_array($config['ipsec']['phase1']))
+	$config['ipsec']['phase1'] = array();
+
 if (!is_array($config['ipsec']['phase2']))
 	$config['ipsec']['phase2'] = array();
 
+$a_phase1 = &$config['ipsec']['phase1'];
 $a_phase2 = &$config['ipsec']['phase2'];
 
 if (!empty($_GET['p2index']))
@@ -246,6 +250,46 @@ if ($_POST) {
 				}
 			}
 		}
+		if (is_array($a_phase1)) {
+			foreach ($a_phase1 as $phase1) {
+				if($phase1['ikeid'] == $pconfig['ikeid']) {
+					/* This is the P1 for this entry, validate its remote-gateway and local interface isn't within tunnel */
+					$entered_local = array();
+					$entered_local['type'] = $pconfig['localid_type'];
+					if (isset($pconfig['localid_address'])) $entered_local['address'] = $pconfig['localid_address'];
+					if (isset($pconfig['localid_netbits'])) $entered_local['netbits'] = $pconfig['localid_netbits'];
+					$entered_localid_data = ipsec_idinfo_to_cidr($entered_local, false, $pconfig['mode']);
+					list($entered_local_network, $entered_local_mask) = split("/", $entered_localid_data);
+					$entered_remote = array();
+					$entered_remote['type'] = $pconfig['remoteid_type'];
+					if (isset($pconfig['remoteid_address'])) $entered_remote['address'] = $pconfig['remoteid_address'];
+					if (isset($pconfig['remoteid_netbits'])) $entered_remote['netbits'] = $pconfig['remoteid_netbits'];
+					$entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']);
+					list($entered_remote_network, $entered_remote_mask) = split("/", $entered_remoteid_data);
+					if ($phase1['protocol'] == "inet6") { 
+						$if = get_failover_interface($phase1['interface'], "inet6");
+						$interfaceip = get_interface_ipv6($if);
+					} else {
+						$if = get_failover_interface($phase1['interface']);
+						$interfaceip = get_interface_ip($if);
+					}
+					/* skip validation for hostnames, they're subject to change anyway */
+					if (is_ipaddr($phase1['remote-gateway'])) {
+						if ($pconfig['mode'] == "tunnel") {
+							if(check_subnets_overlap($interfaceip, 32, $entered_local_network, $entered_local_mask) && check_subnets_overlap($phase1['remote-gateway'], 32, $entered_remote_network, $entered_remote_mask)) {
+								$input_errors[] = gettext("The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in its phase 1.");
+								break;
+							}
+						} else if ($pconfig['mode'] == "tunnel6") {
+							if(check_subnetsv6_overlap($interfaceip, 128, $entered_local_network, $entered_local_mask) && check_subnets_overlap($phase1['remote-gateway'], 128, $entered_remote_network, $entered_remote_mask)) {
+								$input_errors[] = gettext("The local and remote networks of a phase 2 entry cannot overlap the outside of the tunnel (interface and remote gateway) configured in its phase 1.");
+								break;
+							}							
+						}				
+					}
+				}
+			}
+		}
         }
 
 	/* For ESP protocol, handle encryption algorithms */