Project

General

Profile

Actions

Bug #12472

closed

IPsec Keep Alive does not work correctly with gateway groups in HA

Added by Marcos Mendoza 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Force Exclusion
Affected Version:
2.6.0
Affected Architecture:

Description

In ipsec_keepalive.php: (substr($status[$ikeid]['p1']['interface'], 0, 4) == "_vip") returns a false negative when the interface is a gateway group due to ['interface'] at this point being defined as the gateway group name. This leads to the secondary incorrectly initiating a connection.

Actions #1

Updated by Viktor Gurov 3 months ago

It's difficult to determine if specific interfaces of a gateway group are being used for CARP VIP too, since the configuration of the gateway group uses gateways (which use interfaces) but not VIP

Actions #2

Updated by Jim Pingle 3 months ago

Viktor Gurov wrote in #note-1:

It's difficult to determine if specific interfaces of a gateway group are being used for CARP VIP too, since the configuration of the gateway group uses gateways (which use interfaces) but not VIP

Presumably in this case the user should have selected a CARP VIP when creating or editing a gateway group using the Virtual IP field there. In other areas that is used to influence which VIP is associated with an interface in a gateway group.

So perhaps it could have another check that compares against that value, though it does add a bit more complexity.

Actions #3

Updated by Marcos Mendoza 3 months ago

There exists checks in other areas that could be adapted for this:
https://gitlab.netgate.com/pfSense/pfSense/blob/master/src/etc/inc/openvpn.inc#L1580

    /* Check if client is bound to a gateway group */
    $a_groups = return_gateway_groups_array(true);
    if (is_array($a_groups[$settings['interface']])) {
        /* the interface is a gateway group. If a vip is defined and its a CARP backup then do not start */
        if (($a_groups[$settings['interface']][0]['vip'] <> "") && (!in_array(get_carp_interface_status($a_groups[$settings['interface']][0]['vip']), array("MASTER", "")))) {
            unlock($lockhandle);
            return;
        }
    }

Actions #5

Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to 2.6.0
  • Plus Target Version set to 22.01
Actions #6

Updated by Viktor Gurov 3 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle about 2 months ago

  • Release Notes changed from Default to Force Exclusion

This was an issue with a newly added feature, so it does not need to be in the release notes.

Actions #8

Updated by Marcos Mendoza about 2 months ago

FWIW this works correctly now - tested on 22.01.a.20211204.0600.

Actions #9

Updated by Marcos Mendoza about 2 months ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF