Project

General

Profile

Actions

Bug #12039

closed

Gateway alarm always triggers IPsec restart

Added by Viktor Gurov 4 months ago. Updated 24 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
06/15/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:

Description

There are several issues:

1) '/etc/rc.gateway_alarm' trigger '/etc/rc.newipsecdns' which generate an invalid log message:

IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.

- which can confuse users.
This message is only true if IPsec remote-gateway == FQDN and filterdns updates it's IP.
see https://github.com/pfsense/pfsense/blob/eb1305d0736a1d71d1615ca6b19e3f4a917317a0/src/etc/inc/ipsec.inc#L2862

2) It is not necessary to restart IPsec if an alarm is triggered for the Gateway that doesn't affect IPsec connections. It should be more flexible, like '/etc/rc.openvpn'.

3) It's better to create '/etc/rc.ipsec' in the same way as '/etc/rc.openvpn' and use '/etc/rc.newipsecdns' only for filterdns updates.

Actions #2

Updated by Renato Botelho 3 months ago

  • Status changed from New to In Progress
  • Assignee set to Viktor Gurov

I've merged check_reload_status part. Please re-test PHP part to make sure it's working as expected.

Actions #3

Updated by Renato Botelho 3 months ago

  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
Actions #4

Updated by Jim Pingle 3 months ago

  • Status changed from In Progress to Pull Request Review
Actions #5

Updated by Jim Pingle about 2 months ago

  • Status changed from Pull Request Review to Feedback

PRs merged

Actions #6

Updated by Viktor Gurov about 2 months ago

  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle about 1 month ago

  • Subject changed from Gateway alarm always trigger IPsec restart to Gateway alarm always triggers IPsec restart

Updating subject for release notes.

Actions #8

Updated by Alhusein Zawi 24 days ago

  • Status changed from Feedback to Resolved

/etc/rc.ipsec is created

/etc/rc.gateway_alarm:

/usr/local/sbin/pfSctl \
-c "service reload dyndns ${GW}" \
-c "service reload ipsec ${GW}" \
-c "service reload openvpn ${GW}" \
-c "filter reload" >/dev/null 2>&1
  1. after above signal the check_reload_status process calls the following scripts simultaneously.:
  2. - "/etc/rc.dyndns.update", "dyndns=%s"
  3. - "/etc/rc.ipsec", "interface=%s"
  4. - "/etc/rc.openvpn", "interface=%s"
  5. - "/etc/rc.filter_configure_sync"

2.6.0.a.20211001.0100

Actions

Also available in: Atom PDF