Actions
Bug #12039
closedGateway alarm always triggers IPsec restart
Start date:
06/15/2021
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:
Description
There are several issues:
1) '/etc/rc.gateway_alarm' trigger '/etc/rc.newipsecdns' which generate an invalid log message:
IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
- which can confuse users.
This message is only true if IPsec remote-gateway == FQDN and filterdns updates it's IP.
see https://github.com/pfsense/pfsense/blob/eb1305d0736a1d71d1615ca6b19e3f4a917317a0/src/etc/inc/ipsec.inc#L2862
2) It is not necessary to restart IPsec if an alarm is triggered for the Gateway that doesn't affect IPsec connections. It should be more flexible, like '/etc/rc.openvpn'.
3) It's better to create '/etc/rc.ipsec' in the same way as '/etc/rc.openvpn' and use '/etc/rc.newipsecdns' only for filterdns updates.
Updated by Viktor Gurov over 3 years ago
Updated by Renato Botelho about 3 years ago
- Status changed from New to In Progress
- Assignee set to Viktor Gurov
I've merged check_reload_status part. Please re-test PHP part to make sure it's working as expected.
Updated by Renato Botelho about 3 years ago
- Target version set to 2.6.0
- Plus Target Version set to 21.09
Updated by Jim Pingle about 3 years ago
- Status changed from In Progress to Pull Request Review
Updated by Jim Pingle about 3 years ago
- Status changed from Pull Request Review to Feedback
PRs merged
Updated by Viktor Gurov about 3 years ago
- % Done changed from 0 to 100
Applied in changeset 8558539a8547befd3a9f218286766e76a1c0f03f.
Updated by Jim Pingle about 3 years ago
- Subject changed from Gateway alarm always trigger IPsec restart to Gateway alarm always triggers IPsec restart
Updating subject for release notes.
Updated by Alhusein Zawi about 3 years ago
- Status changed from Feedback to Resolved
/etc/rc.ipsec is created
/etc/rc.gateway_alarm:
/usr/local/sbin/pfSctl \-c "service reload dyndns ${GW}" \
-c "service reload ipsec ${GW}" \
-c "service reload openvpn ${GW}" \
-c "filter reload" >/dev/null 2>&1
- after above signal the check_reload_status process calls the following scripts simultaneously.:
- - "/etc/rc.dyndns.update", "dyndns=%s"
- - "/etc/rc.ipsec", "interface=%s"
- - "/etc/rc.openvpn", "interface=%s"
- - "/etc/rc.filter_configure_sync"
2.6.0.a.20211001.0100
Updated by Jim Pingle almost 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Actions