Bug #12198
closed
Disabling an IPsec phase 1 entry does not disable related phase 2 entries
Added by Viktor Gurov over 2 years ago.
Updated over 2 years ago.
Plus Target Version:
22.01
Description
How to reproduce:
1) Create IPsec PH1 with several PH2 VTI entries
2) Toggle "disable" button on the vpn_ipsec.php page
3) <phase1> has a <disable> entry in config.xml, but not <phase2>
4) If you try to make any changes to this PH1 disabled entry on the vpn_ipsec_phase1.php page, you'll get an error:
Cannot disable a Phase 1 which contains an active VTI Phase 2 with an interface assigned. Remove the interface assignment before deleting this P1.
- Related to Bug #11792: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled added
IMO, the P2s should not get their own disabled flag set in this case. The code should assume they are disabled if their P1 is disabled, but otherwise it would become tedious to manage them if there are many P2s and someone wants to temporarily disable the P1. They would have to only click disable on the P1 but to enable they'd have to manually enable every P1. Automatically enabling every P2 would likewise be a bad approach because the user may have one out of many P2s explicitly disabled and after toggling the P1 it would end up in an enabled state unexpectedly.
Jim Pingle wrote in #note-2:
IMO, the P2s should not get their own disabled flag set in this case. The code should assume they are disabled if their P1 is disabled, but otherwise it would become tedious to manage them if there are many P2s and someone wants to temporarily disable the P1. They would have to only click disable on the P1 but to enable they'd have to manually enable every P1. Automatically enabling every P2 would likewise be a bad approach because the user may have one out of many P2s explicitly disabled and after toggling the P1 it would end up in an enabled state unexpectedly.
Right,
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/318
- Status changed from New to Pull Request Review
- Target version set to 2.6.0
- Plus Target Version set to 21.09
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
- Status changed from Feedback to Resolved
fixed
I was able to make changes in disabled P1 without errors
2.6.0.a.20210814.1404
- Subject changed from IPsec PH2 related entries are not disabled after PH1 disable button is pressed to Disabling an IPsec Phase 1 entry does not disable related Phase 2 entries
Updating subject for release notes.
- Subject changed from Disabling an IPsec Phase 1 entry does not disable related Phase 2 entries to Disabling an IPsec phase 1 entry does not disable related phase 2 entries
- Plus Target Version changed from 21.09 to 22.01
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by