Project

General

Profile

Actions

Regression #11435

closed

IPsec status incorrect for entries using expanded IKE connection numbers

Added by Jim Pingle about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/17/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

IPsec status is not correctly matching some tunnels. #9592 introduced a mechanism to accommodate large numbers of VTI interfaces, and entries which use the new larger connection numbers are not being matched properly. Entries using the older format are OK.

For example, a tunnel mode entry with an IKE ID of 1 is now using a con name of "con100000" when previously it was "con1000" the additional zeroes are throwing off the matching logic in status_ipsec.php and presumably also the widget.

Actions #1

Updated by Jim Pingle about 3 years ago

  • % Done changed from 0 to 40

I pushed a fix for the status page, widget works much differently so it needs handled another way.

Actions #2

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Feedback

I checked in a fix for the widget now as well. Worked on two systems here (one which worked before, another which did not) and accurately reflected the tunnel status on both in the widget and on the status page.

Actions #3

Updated by Jim Pingle about 3 years ago

  • % Done changed from 40 to 100
Actions #4

Updated by Renato Botelho about 3 years ago

  • Target version changed from CE-Next to 2.5.1
Actions #5

Updated by Jim Pingle about 3 years ago

To reproduce the problem, restore the IPsec config section from issue #11487 to a system without IPsec. Edit/save/apply on the IPsec tunnel. Restore it to a second one, and adjust them so they complement each other (e.g. fix remote addresses, change P2 subnets to match the LANs, etc).

From there, try to bring up the tunnel with traffic and check the status with swanctl --list-sas from the CLI. Confirm the tunnel is up there, and check the GUI status and dashboard widget status.

On a system without the fix, the IPsec status page will show the tunnel as up but also show an additional entry which makes it appear to be disconnected. The dashboard widget will not show any active tunnels.

On a system with the fix, the status is correct in both places.

Now create a new IPsec tunnel mode instance manually and repeat the test. Then create a new VTI tunnel instance and repeat the test as well. If all three (Restored section, fresh tunnel, fresh VTI) show the expected status in each place, then we can consider it resolved.

Actions #6

Updated by Viktor Gurov about 3 years ago

Jim Pingle wrote:

I checked in a fix for the widget now as well. Worked on two systems here (one which worked before, another which did not) and accurately reflected the tunnel status on both in the widget and on the status page.

In case of IKEv1 (IKEv2 is OK), the IPsec widget always shows the tunnel status as inactive

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/202

Actions #7

Updated by Renato Botelho about 3 years ago

PR merged and cherry-picked to 2.5.1

Actions #8

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF