https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-07-26T13:10:52ZpfSense bugtrackerpfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=552512021-07-26T13:10:52ZJim Pingle
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/55251/diff?detail_id=45483">diff</a>)</li></ul> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=552522021-07-26T13:16:05ZJim Pingle
<ul></ul><p>Also note this should solve what some users see where after some time of a peer being down, a VTI tunnel won't automatically reconnect without manual intervention.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=553272021-07-30T13:06:52ZJim Pingle
<ul></ul><p>The other work is done, so this can proceed. See <a class="changeset" title="IPsec updates to address multiple issues * Configure/apply code changes. * Vast performance in..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/bec6dcfbbef4832b34d47ca60b0671b23dc185d8">bec6dcfbbef4832b34d47ca60b0671b23dc185d8</a></p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=553752021-08-02T13:40:09ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Add P2 Keep Alive function. Implements #12169 Works for VTI and Tunnel mode. Checks every 5 minu..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/a3d2c8617ae7d9cabc6ce37cf8d1202b6c58f6df">a3d2c8617ae7d9cabc6ce37cf8d1202b6c58f6df</a>.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=553762021-08-02T14:28:42ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Initiate IPsec P2 without ping</i> to <i>IPsec keep alive option to initiate P2 without ping</i></li></ul> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=553852021-08-02T16:37:44ZMarcos M
<ul></ul><p>Currently after a gateway comes back up, <code>check_reload_status</code> will run "Restarting ipsec tunnels". This is not triggering a VTI P2 to initiate even with <code>Child SA Close Action</code> set to "Restart/Reconnect".</p>
<p>My guess is that <code>check_reload_status</code> is only reloading the configuration rather than restarting the tunnel, and given that <code>Child SA Close Action</code> aka <code>dpd_action</code> would not come into play after the IKE timeout/retransmit period has passed, the P2 VTI never comes back up.</p>
<p>Would this behavior be resolved by this feature?</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=553872021-08-02T17:16:25ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li></ul><p>Almost certainly since this just checks if a P2 with the option checked it enabled and disconnected. If so, it triggers an initiate action for it.</p>
<p>It wouldn't have any relation to tunnel types, events, etc. It just checks every 5 minutes if it's up.</p>
<p>Though now that I think about it, This should probably also check the CARP status so it doesn't initiate tunnels on secondary nodes in BACKUP status.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=554802021-08-05T10:55:09ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul><p>Applied in changeset <a class="changeset" title="IPsec Keep Alive corrections. Fixes #12169 * Checked CARP VIP status if used by P1, if VIP is in..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/a7705968eac0b3d21739d88736610aed4785426d">a7705968eac0b3d21739d88736610aed4785426d</a>.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=559852021-08-26T10:03:52ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>IPsec keep alive option to initiate P2 without ping</i> to <i>IPsec keep alive option to initiate phase 2 without ping</i></li></ul><p>Updating subject for release notes.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=559862021-08-26T10:04:25ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>IPsec keep alive option to initiate phase 2 without ping</i> to <i>IPsec keep alive option to initiate phase 2 without using ICMP</i></li></ul><p>Updating subject for release notes.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=567402021-10-13T13:45:47ZMarcos M
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Tested on 22.01.a.20211010.0500. Still works well.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=567762021-10-16T20:36:39ZMarcos M
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>New</i></li></ul><p>I did some further testing on this.</p>
<p><code>(substr($status[$ikeid]['p1']['interface'], 0, 4) == "_vip")</code> returns a false negative when the interface is a gateway group due to <code>['interface']</code> at this point being defined as the gateway group name. This leads to the secondary incorrectly initiating a connection.</p>
<p>It would also be nice to let the user adjust the keepalive check time, as once <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI options to configure IKE retransmission behavior (Resolved)" href="https://redmine.pfsense.org/issues/12184">#12184</a> is implemented, the keepalive time could be lowered.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=568252021-10-18T09:21:38ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li></ul><p>Those should be added as a separate bug report and feature request. For most cases this is working fine.</p> pfSense - Feature #12169: IPsec keep alive option to initiate phase 2 without using ICMPhttps://redmine.pfsense.org/issues/12169?journal_id=570552021-10-27T11:59:37ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>21.09</i> to <i>22.01</i></li></ul>