Bug #12315
closedIPsec tunnels using a gateway group do not get reloaded in some cases
100%
Description
When ipsec_force_reload($interface)
is called, for example by /etc/rc.newwanip
, it only looks for tunnels which specifically match the given interface name.
If a tunnel has a gateway group assigned as its interface, the tunnel does not get reloaded when it should as it does not match the interface name directly.
The function should also check if the Phase 1 source for a tunnel (either an interface, a VIP, or a gateway group) matches an address on the interface name passed to the function.
Updated by Jim Pingle about 3 years ago
- Status changed from New to Confirmed
- Assignee set to Jim Pingle
Was able to reproduce it easily just by setting an IPsec tunnel to a gateway group and running the function. Fix incoming.
Updated by Jim Pingle about 3 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 336103c470c1064ee2264606ef9046ba34987df6.
Updated by Jim Pingle about 3 years ago
Viktor Gurov wrote in #note-4:
related issue - #6370 (duplicate?)
It's possibly related but I wouldn't say it's the same thing at a glance. This particular issue affects refreshing the config even without failover/failback.
If someone can still reproduce that other issue, try it on a current snapshot with this fix in place. If it does work, the old issue can be cross-referenced here and closed.
Updated by Hagen Herrschaft about 3 years ago
Jim Pingle wrote in #note-5:
Viktor Gurov wrote in #note-4:
related issue - #6370 (duplicate?)
It's possibly related but I wouldn't say it's the same thing at a glance. This particular issue affects refreshing the config even without failover/failback.
If someone can still reproduce that other issue, try it on a current snapshot with this fix in place. If it does work, the old issue can be cross-referenced here and closed.
I reported this through Netgate support yesterday. Just to get it crystal clear; this also affects pfSense when having an interface configured in P1, a gateway group is not mandatory. (Jim, you eventually meant that with "even without failover/failback").
Updated by Marcos M about 3 years ago
There are other cases in which the tunnel may not get re-established ( e.g. #12169 ) which are separate from this issue. This fix should - for example - address the case in which the IP changes for an interface in a gateway group bound to IPsec.
If you can reproduce the issue without the use of gateway groups, please collect the logs including the time when the issue happened and follow up with support.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Resolved