Regression #12052
closedIPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID
100%
Description
Plataform:
Version 2.5.1-RELEASE (amd64) on VMWare
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE
FreeBSD strongSwan U5.9.1/K12.2-STABLE
Description:
Menu Status->IPSec->Overview, "Disconnect Button" should only disconnect one user but it is dropping all mobile active connections (hundreds).
The problem occurred after upgrading from version 2.4.5 to 2.5.1.
We did a test in a second instance of PfSense and the problem repeated itself. The problem occurred on two different VPNs servers with the same version of PFSense.
Also, we tested killing a connection with the command "swanctl -t" and it worked perfectly, dropping only the target connection and not the others , as it happens in the PfSense GUI:
swanctl -t --ike-id 3880
[IKE] deleting IKE_SA con-mobile3880 between [x.x.x.x]...y.y.y.y
[IKE] sending DELETE for IKE_SA con-mobile3880
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from x.x.x.x4500 to y.y.y.y4500 (80 bytes)
[NET] received packet: from y.y.y.y4500 to x.x.x.x4500 (80 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
So far, evidence seems to point to a BUG in PfSense management scripts.
Thanks,
Geovane
Jun 15 10:02:14 vpn4 charon71011: 15[IKE] <con-mobile|2722> sending DELETE for IKE_SA con-mobile2722
Jun 15 10:02:14 vpn4 charon71011: 13[IKE] <con-mobile|2690> sending DELETE for IKE_SA con-mobile2690
Jun 15 10:02:14 vpn4 charon71011: 07[IKE] <con-mobile|2642> sending DELETE for IKE_SA con-mobile2642
Jun 15 10:02:15 vpn4 charon71011: 12[IKE] <con-mobile|2602> sending DELETE for IKE_SA con-mobile2602
Jun 15 10:02:15 vpn4 charon71011: 11[IKE] <con-mobile|2592> sending DELETE for IKE_SA con-mobile2592
Jun 15 10:02:15 vpn4 charon71011: 11[IKE] <con-mobile|2924> sending DELETE for IKE_SA con-mobile2924
Jun 15 10:02:15 vpn4 charon71011: 11[IKE] <con-mobile|2922> sending DELETE for IKE_SA con-mobile2922
Jun 15 10:02:15 vpn4 charon71011: 07[IKE] <con-mobile|2889> sending DELETE for IKE_SA con-mobile2889
Jun 15 10:02:15 vpn4 charon71011: 10[IKE] <con-mobile|2884> sending DELETE for IKE_SA con-mobile2884
Jun 15 10:02:15 vpn4 charon71011: 07[IKE] <con-mobile|2882> sending DELETE for IKE_SA con-mobile2882
Jun 15 10:02:15 vpn4 charon71011: 07[IKE] <con-mobile|2859> sending DELETE for IKE_SA con-mobile2859
Jun 15 10:02:15 vpn4 charon71011: 15[IKE] <con-mobile|2820> sending DELETE for IKE_SA con-mobile2820
Jun 15 10:02:15 vpn4 charon71011: 13[IKE] <con-mobile|2812> sending DELETE for IKE_SA con-mobile2812
Jun 15 10:02:15 vpn4 charon71011: 13[IKE] <con-mobile|2798> sending DELETE for IKE_SA con-mobile2798
Jun 15 10:02:15 vpn4 charon71011: 08[IKE] <con-mobile|2650> sending DELETE for IKE_SA con-mobile2650
Jun 15 10:02:15 vpn4 charon71011: 06[IKE] <con-mobile|2613> sending DELETE for IKE_SA con-mobile2613
Jun 15 10:02:15 vpn4 charon71011: 12[IKE] <con-mobile|2909> sending DELETE for IKE_SA con-mobile2909
Jun 15 10:02:15 vpn4 charon71011: 10[IKE] <con-mobile|2878> sending DELETE for IKE_SA con-mobile2878
Jun 15 10:02:15 vpn4 charon71011: 09[IKE] <con-mobile|2857> sending DELETE for IKE_SA con-mobile2857
Jun 15 10:02:15 vpn4 charon71011: 11[IKE] <con-mobile|2836> sending DELETE for IKE_SA con-mobile2836
Jun 15 10:02:15 vpn4 charon71011: 07[IKE] <con-mobile|2827> sending DELETE for IKE_SA con-mobile2827
Jun 15 10:02:15 vpn4 charon71011: 09[IKE] <con-mobile|2819> sending DELETE for IKE_SA con-mobile2819
Jun 15 10:02:15 vpn4 charon71011: 09[IKE] <con-mobile|2794> sending DELETE for IKE_SA con-mobile2794
Jun 15 10:02:15 vpn4 charon71011: 09[IKE] <con-mobile|2727> sending DELETE for IKE_SA con-mobile2727
Jun 15 10:02:15 vpn4 charon71011: 10[IKE] <con-mobile|2579> sending DELETE for IKE_SA con-mobile2579
Jun 15 10:02:15 vpn4 charon71011: 10[IKE] <con-mobile|2903> sending DELETE for IKE_SA con-mobile2903
Jun 15 10:02:15 vpn4 charon71011: 11[IKE] <con-mobile|2890> sending DELETE for IKE_SA con-mobile2890
Jun 15 10:02:15 vpn4 charon71011: 13[IKE] <con-mobile|2875> sending DELETE for IKE_SA con-mobile2875
Jun 15 10:02:16 vpn4 charon71011: 06[IKE] <con-mobile|2874> sending DELETE for IKE_SA con-mobile2874
Jun 15 10:02:16 vpn4 charon71011: 06[IKE] <con-mobile|2809> sending DELETE for IKE_SA con-mobile2809