Regression #11435
closedIPsec status incorrect for entries using expanded IKE connection numbers
100%
Description
IPsec status is not correctly matching some tunnels. #9592 introduced a mechanism to accommodate large numbers of VTI interfaces, and entries which use the new larger connection numbers are not being matched properly. Entries using the older format are OK.
For example, a tunnel mode entry with an IKE ID of 1 is now using a con name of "con100000" when previously it was "con1000" the additional zeroes are throwing off the matching logic in status_ipsec.php and presumably also the widget.
Updated by Jim Pingle almost 4 years ago
- % Done changed from 0 to 40
I pushed a fix for the status page, widget works much differently so it needs handled another way.
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Feedback
I checked in a fix for the widget now as well. Worked on two systems here (one which worked before, another which did not) and accurately reflected the tunnel status on both in the widget and on the status page.
Updated by Renato Botelho over 3 years ago
- Target version changed from CE-Next to 2.5.1
Updated by Jim Pingle over 3 years ago
To reproduce the problem, restore the IPsec config section from issue #11487 to a system without IPsec. Edit/save/apply on the IPsec tunnel. Restore it to a second one, and adjust them so they complement each other (e.g. fix remote addresses, change P2 subnets to match the LANs, etc).
From there, try to bring up the tunnel with traffic and check the status with swanctl --list-sas
from the CLI. Confirm the tunnel is up there, and check the GUI status and dashboard widget status.
On a system without the fix, the IPsec status page will show the tunnel as up but also show an additional entry which makes it appear to be disconnected. The dashboard widget will not show any active tunnels.
On a system with the fix, the status is correct in both places.
Now create a new IPsec tunnel mode instance manually and repeat the test. Then create a new VTI tunnel instance and repeat the test as well. If all three (Restored section, fresh tunnel, fresh VTI) show the expected status in each place, then we can consider it resolved.
Updated by Viktor Gurov over 3 years ago
Jim Pingle wrote:
I checked in a fix for the widget now as well. Worked on two systems here (one which worked before, another which did not) and accurately reflected the tunnel status on both in the widget and on the status page.
In case of IKEv1 (IKEv2 is OK), the IPsec widget always shows the tunnel status as inactive
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/202