Project

General

Profile

Actions

Bug #12315

open

IPsec tunnels using a gateway group do not get reloaded in some cases

Added by Jim Pingle about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When ipsec_force_reload($interface) is called, for example by /etc/rc.newwanip, it only looks for tunnels which specifically match the given interface name.

If a tunnel has a gateway group assigned as its interface, the tunnel does not get reloaded when it should as it does not match the interface name directly.

The function should also check if the Phase 1 source for a tunnel (either an interface, a VIP, or a gateway group) matches an address on the interface name passed to the function.

Actions #1

Updated by Jim Pingle about 2 months ago

  • Description updated (diff)
Actions #2

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle

Was able to reproduce it easily just by setting an IPsec tunnel to a gateway group and running the function. Fix incoming.

Actions #3

Updated by Jim Pingle about 2 months ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Viktor Gurov about 2 months ago

related issue - #6370 (duplicate?)

Actions #5

Updated by Jim Pingle about 2 months ago

Viktor Gurov wrote in #note-4:

related issue - #6370 (duplicate?)

It's possibly related but I wouldn't say it's the same thing at a glance. This particular issue affects refreshing the config even without failover/failback.

If someone can still reproduce that other issue, try it on a current snapshot with this fix in place. If it does work, the old issue can be cross-referenced here and closed.

Actions #6

Updated by Hagen Herrschaft about 2 months ago

Jim Pingle wrote in #note-5:

Viktor Gurov wrote in #note-4:

related issue - #6370 (duplicate?)

It's possibly related but I wouldn't say it's the same thing at a glance. This particular issue affects refreshing the config even without failover/failback.

If someone can still reproduce that other issue, try it on a current snapshot with this fix in place. If it does work, the old issue can be cross-referenced here and closed.

I reported this through Netgate support yesterday. Just to get it crystal clear; this also affects pfSense when having an interface configured in P1, a gateway group is not mandatory. (Jim, you eventually meant that with "even without failover/failback").

Actions #7

Updated by Marcos Mendoza about 2 months ago

There are other cases in which the tunnel may not get re-established ( e.g. #12169 ) which are separate from this issue. This fix should - for example - address the case in which the IP changes for an interface in a gateway group bound to IPsec.

If you can reproduce the issue without the use of gateway groups, please collect the logs including the time when the issue happened and follow up with support.

Actions

Also available in: Atom PDF