IPsec dynamic tunnels don't reload correctly
/etc/rc.newipsecdns does not reload dynamic tunnels as it should.
#1 Updated by Scott Ullrich over 8 years ago
We should test http://php.net/manual/en/function.dns-get-record.php vs gethostbyname
#3 Updated by Chris Buechler over 8 years ago
- Subject changed from PHP's gethostbyname returns stale info to IPsec dynamic tunnels don't reload correctly
- Status changed from New to Resolved
updated ticket to actual problem, it appears actually that there is no caching at all in gethostbyname, it issues a DNS query every single time it's run regardless of TTL, at least when run via CLI in /etc/rc.newipsecdns. The problem was missing the $config array when running the vpn_ipsec* functions which made them fail. confirmed working now.
#4 Updated by Joe Kelly over 8 years ago
If this is the same issue as the one discussed in the forum thread "VPN IPsec Remote gateway using DDNS doesn't update" (http://forum.pfsense.org/index.php/topic,29903.15.html), I can confirm that this fix does indeed work. I tried changing the IP address 5 times in a row and every time, the tunnel came back up in an average of about 30 seconds. Very nice work Chris!
One thing to note is that the old SAD entries for the old IP addresses don't seem to get cleared up -- at least not right away. I assume they'll expire after one of the Phase X lifetimes expires (don't know which one). I'm not sure if this is a big deal or not but I thought I should mention it anyway in case the old SAD entries are actually supposed to be cleaned up right away when the tunnel is reloaded with the new address.