Project

General

Profile

Actions

Bug #5699

closed

Upgraded systems with IPsec disabled globally will have it enabled

Added by Chris Buechler over 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
12/24/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3
Affected Architecture:

Description

The removal of the global enable/disable IPsec setting means upgraded systems where it's disabled will end up with their formerly-disabled configs activated. Already has bitten one snapshot user, likely many, many others will be impacted.

I think it was misguided to remove the global enable/disable as people find it useful. It either needs to come back, or upon upgrade, add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled.

Actions #1

Updated by Jim Thompson about 8 years ago

IPSec is on by default in -CURRENT now.

We have that patch in our tree, so IPSec is on by default in pfSense.

Why turn it off?

Actions #2

Updated by Jim Thompson about 8 years ago

  • Assignee set to Chris Buechler
Actions #3

Updated by Phillip Davis about 8 years ago

I would think that in production there is no need to have a global switch that disables all IPsec. I guess that was most useful when testing/playing/setting up new stuff so you can quickly disable the effect of what you were doing without actually deleting all the settings.

"add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled" seems to me like all that is needed - that way people who have existing systems where they played with IPsec somewhere in the past, have a bunch of settings in the config, and had used the global IPsec disable switch to make those settings ineffective, will upgrade and each IPsec P1 configuration will then be disabled.

Actions #4

Updated by Renato Botelho about 8 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Chris Buechler about 8 years ago

  • Status changed from Feedback to Resolved

There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.

This works fine now.

Actions #6

Updated by Jim Pingle about 8 years ago

Chris Buechler wrote:

There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.

This works fine now.

We have checkboxes for mass actions on P1s, and each row has a 'disable' button already. To cover that latter case we could have a mass disable/enable button next to the "Delete P1s" button.

Actions

Also available in: Atom PDF