Bug #12075
closed
Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync
Added by Jim Pingle almost 3 years ago.
Updated over 2 years ago.
Plus Target Version:
22.01
Description
When synchronizing settings over XMLRPC, the secondary only reconfigures the IPsec daemon if IPsec is enabled or disabled as a whole and not for other changes.
If a setting is changed on an existing setup, such as altering a PSK or adding a new tunnel, the secondary gets the settings in config.xml but they are not activated in strongswan. For example, new settings are not reflected in /var/etc/swanctl.conf until something else comes along and reloads them (e.g. manually, reboot, etc).
Normally the settings should be applied on sync, but in some cases that could lead to the secondary interfering in active tunnels, so testing and care is needed to ensure it is not disruptive. Settings could also be applied during transition to CARP master but that could be prone to timing issues.
Perhaps it could be treated similarly to FRR and OpenVPN where the secondary checks whether its interface is CARP, and if so, it only starts the service if it's interface is in master.
PH1 entries with BACKUP VIP or VIPs aliased to BACKUP CARP must be skipped in `ipsec_get_phase1_src()` (see also https://redmine.pfsense.org/issues/11793) - otherwise secondary node tries to start CARP-binded PH1 entries after reboot
- Status changed from New to Pull Request Review
Copied from my comments on the PR:
Skipping entries negates the entire point of doing the configure during XMLRPC sync. You may as well just reconfigure during the CARP transition if you're going to do that.
Rather than skipping entries, set the child SA start action to 'none' on sync when using a CARP VIP in backup status, and then when it changes to master, resync and let it be whatever the user set (or default if unset). When child SA start action is 'none' it won't attempt to automatically initiate.
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
- % Done changed from 0 to 100
This seems to work for me. When I make changes to an existing tunnel's encryption settings, interface, local ID, etc, /var/etc/ipsec/swanctl.conf on the secondary immediately reflects the changes without any manual intervention. However, I am not able to replicate the initial problem in 2.5.2 so it's not clear if this only affected earlier builds 2.6?
Tested in
2.6.0-DEVELOPMENT (amd64)
built on Sat Oct 09 05:20:31 UTC 2021
FreeBSD 12.2-STABLE
- Status changed from Feedback to Resolved
Tested on 22.01.a.20211010.0500 with configuration that I originally experienced the issue in. It works correctly now.
- Plus Target Version changed from 21.09 to 22.01
- Related to Bug #12566: IPsec initiates on HA backup node when a tunnel interface is set to a gateway group added
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by