Bug #12315: IPsec tunnels using a gateway group do not get reloaded in some cases - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #12315

closed

IPsec tunnels using a gateway group do not get reloaded in some cases

Added by Jim Pingle over 2 years ago. Updated about 2 years ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

IPsec

Target version:

2.6.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.01

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

When ipsec_force_reload($interface) is called, for example by /etc/rc.newwanip, it only looks for tunnels which specifically match the given interface name.

If a tunnel has a gateway group assigned as its interface, the tunnel does not get reloaded when it should as it does not match the interface name directly.

The function should also check if the Phase 1 source for a tunnel (either an interface, a VIP, or a gateway group) matches an address on the interface name passed to the function.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Description updated (diff)

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from New to Confirmed
Assignee set to Jim Pingle

Was able to reproduce it easily just by setting an IPsec tunnel to a gateway group and running the function. Fix incoming.

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from Confirmed to Feedback
% Done changed from 0 to 100

Applied in changeset 336103c470c1064ee2264606ef9046ba34987df6.

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

related issue - #6370 (duplicate?)

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Viktor Gurov wrote in #note-4:

related issue - #6370 (duplicate?)

It's possibly related but I wouldn't say it's the same thing at a glance. This particular issue affects refreshing the config even without failover/failback.

If someone can still reproduce that other issue, try it on a current snapshot with this fix in place. If it does work, the old issue can be cross-referenced here and closed.

Actions

Copy link

Updated by Hagen Herrschaft over 2 years ago

Jim Pingle wrote in #note-5:

Viktor Gurov wrote in #note-4:

related issue - #6370 (duplicate?)

It's possibly related but I wouldn't say it's the same thing at a glance. This particular issue affects refreshing the config even without failover/failback.

If someone can still reproduce that other issue, try it on a current snapshot with this fix in place. If it does work, the old issue can be cross-referenced here and closed.

I reported this through Netgate support yesterday. Just to get it crystal clear; this also affects pfSense when having an interface configured in P1, a gateway group is not mandatory. (Jim, you eventually meant that with "even without failover/failback").

Actions

Copy link

Updated by Marcos M over 2 years ago

There are other cases in which the tunnel may not get re-established ( e.g. #12169 ) which are separate from this issue. This fix should - for example - address the case in which the IP changes for an interface in a gateway group bound to IPsec.

If you can reproduce the issue without the use of gateway groups, please collect the logs including the time when the issue happened and follow up with support.

Actions

Copy link