Regression #11487: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf`` - pfSense - pfSense bugtracker

Regression #11487

IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``

Added by Jim Pingle about 2 months ago. Updated about 1 month ago.

Status:

Feedback

Priority:

High

Assignee:

Jim Pingle

Category:

IPsec

Target version:

2.5.1

Start date:

02/20/2021

Due date:

% Done:

100%

Estimated time:

Affected Version:

2.5.0

Affected Architecture:

Release Notes:

Default

Description

Tunnels with expanded IKE connection numbers (e.g. "con100000") are not forming proper child SA con numbers. The numerical part of the name (e.g. "100000") is missing in the child SA names.

Related to #9592

To me, I have a fix.

ipsec-config-expandedike.xml (1.81 KB) ipsec-config-expandedike.xml

Jim Pingle, 03/11/2021 03:03 PM

Associated revisions

Revision eb5bd64f (diff)
Added by Jim Pingle about 2 months ago

Fix child SA name generation. Fixes #11487

Revision afffe759 (diff)
Added by Jim Pingle about 2 months ago

Fix child SA name generation. Fixes #11487

(cherry picked from commit eb5bd64face47422285cb883ad44fc5d77c361fa)

History

#1 Updated by Jim Pingle about 2 months ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset eb5bd64face47422285cb883ad44fc5d77c361fa.

#2 Updated by Renato Botelho about 2 months ago

Target version changed from CE-Next to 2.5.1

#3 Updated by Jim Pingle about 1 month ago

File ipsec-config-expandedike.xml ipsec-config-expandedike.xml added

To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.

Check the generated /var/etc/ipsec/swanctl.conf file and it will have an incorrect child name (con0)

    con100000 {
        fragmentation = yes
        unique = replace
        version = 2
        proposals = aes128gcm128-aesxcbc-curve448
        dpd_delay = 10s
        dpd_timeout = 60s
        rekey_time = 25920s
        reauth_time = 25920s
        over_time = 2880s
        rand_time = 2880s
        encap = no
        mobike = no
        local_addrs = 198.51.100.15
        remote_addrs = 198.51.100.99
        pools = 
        local {
            id = 198.51.100.15
            auth = psk
        }
        remote {
            id = 198.51.100.99
            auth = psk
        }
        children {
            con0 {
                dpd_action = trap
                mode = tunnel
                policies = yes
                life_time = 3600s
                rekey_time = 3240s
                rand_time = 360s
                start_action = trap
                local_ts = 10.15.0.0/24
                remote_ts = 10.14.0.0/24
                esp_proposals = aes128gcm128-curve448
            }
        }
    }

On a snapshot with the fix, the same tunnel will have a child with the correct name, con100000:

            con100000 {
                dpd_action = trap
                mode = tunnel
                policies = yes
                life_time = 3600s
                rekey_time = 3240s
                rand_time = 360s
                start_action = trap
                local_ts = 10.6.0.0/24
                remote_ts = 10.14.0.0/24
                esp_proposals = aes128gcm128-curve448
            }

#4 Updated by Jim Pingle about 1 month ago

Subject changed from IPsec tunnels using expanded IKE connection numbers are not getting proper child SA names to IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``

Updating subject for release notes.

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues

Custom queries