https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-02-20T16:30:07ZpfSense bugtrackerpfSense - Regression #11487: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``https://redmine.pfsense.org/issues/11487?journal_id=513542021-02-20T16:30:07ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Fix child SA name generation. Fixes #11487" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/eb5bd64face47422285cb883ad44fc5d77c361fa">eb5bd64face47422285cb883ad44fc5d77c361fa</a>.</p> pfSense - Regression #11487: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``https://redmine.pfsense.org/issues/11487?journal_id=513782021-02-21T08:24:57ZRenato Botelhorenato@netgate.com
<ul><li><strong>Target version</strong> changed from <i>CE-Next</i> to <i>2.5.1</i></li></ul> pfSense - Regression #11487: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``https://redmine.pfsense.org/issues/11487?journal_id=522592021-03-11T15:09:14ZJim Pingle
<ul><li><strong>File</strong> <a href="/attachments/3503">ipsec-config-expandedike.xml</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3503/ipsec-config-expandedike.xml">ipsec-config-expandedike.xml</a> added</li></ul><p>To reproduce the problem, restore the attached IPsec config section to a system without IPsec. Edit/save/apply on the IPsec tunnel.</p>
<p>Check the generated <code>/var/etc/ipsec/swanctl.conf</code> file and it will have an incorrect child name (<code>con0</code>)</p>
<pre>
con100000 {
fragmentation = yes
unique = replace
version = 2
proposals = aes128gcm128-aesxcbc-curve448
dpd_delay = 10s
dpd_timeout = 60s
rekey_time = 25920s
reauth_time = 25920s
over_time = 2880s
rand_time = 2880s
encap = no
mobike = no
local_addrs = 198.51.100.15
remote_addrs = 198.51.100.99
pools =
local {
id = 198.51.100.15
auth = psk
}
remote {
id = 198.51.100.99
auth = psk
}
children {
con0 {
dpd_action = trap
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = trap
local_ts = 10.15.0.0/24
remote_ts = 10.14.0.0/24
esp_proposals = aes128gcm128-curve448
}
}
}
</pre>
<p>On a snapshot with the fix, the same tunnel will have a child with the correct name, <code>con100000</code>:</p>
<pre>
con100000 {
dpd_action = trap
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = trap
local_ts = 10.6.0.0/24
remote_ts = 10.14.0.0/24
esp_proposals = aes128gcm128-curve448
}
</pre> pfSense - Regression #11487: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``https://redmine.pfsense.org/issues/11487?journal_id=522982021-03-12T10:32:14ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>IPsec tunnels using expanded IKE connection numbers are not getting proper child SA names</i> to <i>IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``</i></li></ul><p>Updating subject for release notes.</p> pfSense - Regression #11487: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in ``swanctl.conf``https://redmine.pfsense.org/issues/11487?journal_id=529522021-04-13T10:51:38ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul>