Project

General

Profile

Bug #1254

IPsec dynamic tunnels don't reload correctly

Added by Chris Buechler over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
IPsec
Target version:
Start date:
02/05/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

/etc/rc.newipsecdns does not reload dynamic tunnels as it should.

Associated revisions

Revision 891b3fa2 (diff)
Added by Chris Buechler over 8 years ago

need config.inc here, otherwise it fails to reload, config arrays are blank in vpn_ipsec*. Actual issue and fix for bug #1254

History

#2 Updated by Scott Ullrich over 8 years ago

Use this test program to compare:

#!/usr/local/bin/php

$dns_record = "www.pfsense.org";

echo "gethostbyname = " . gethostbyname($dns_record);
echo "\n";
echo "dns_get_record = " . print_r(dns_get_record($dns_record, DNS_A));

?>

#3 Updated by Chris Buechler over 8 years ago

  • Subject changed from PHP's gethostbyname returns stale info to IPsec dynamic tunnels don't reload correctly
  • Status changed from New to Resolved

updated ticket to actual problem, it appears actually that there is no caching at all in gethostbyname, it issues a DNS query every single time it's run regardless of TTL, at least when run via CLI in /etc/rc.newipsecdns. The problem was missing the $config array when running the vpn_ipsec* functions which made them fail. confirmed working now.

#4 Updated by Joe Kelly over 8 years ago

If this is the same issue as the one discussed in the forum thread "VPN IPsec Remote gateway using DDNS doesn't update" (http://forum.pfsense.org/index.php/topic,29903.15.html), I can confirm that this fix does indeed work. I tried changing the IP address 5 times in a row and every time, the tunnel came back up in an average of about 30 seconds. Very nice work Chris!

One thing to note is that the old SAD entries for the old IP addresses don't seem to get cleared up -- at least not right away. I assume they'll expire after one of the Phase X lifetimes expires (don't know which one). I'm not sure if this is a big deal or not but I thought I should mention it anyway in case the old SAD entries are actually supposed to be cleaned up right away when the tunnel is reloaded with the new address.

#5 Updated by Chris Buechler over 8 years ago

Joe - the second issue you noticed requires DPD to function, see my post on the 2.0 board on the forum re: ipsec-tools 0.8.0, it fixes that.

Also available in: Atom PDF