Project

General

Profile

Actions

Todo #12762

closed

Clarify that the IPsec keep alive check option ignores Child SA Start Action

Added by Marcos M about 2 years ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default

Description

The option Enable periodic keep alive check on the P2 configuration does not take into account the P1 option Child SA Start Action. When this P1 option is set to None (Responder Only), the keep alive check should not initiate the child SA.

Actions #1

Updated by Viktor Gurov about 2 years ago

  • Assignee set to Viktor Gurov
Actions #2

Updated by Jim Pingle about 2 years ago

That is somewhat by design. It's doing exactly what the user configured it to do, and it's not the same behavior as letting strongswan connect when it starts. Letting this feature issue the command to bring up the P2 will happen after strongswan starts (which may only bring up a single P2, not this specific P2, or only initiates on traffic), and this feature handles it in a slightly different manner so it's possible the user wants it to happen that way.

If we suppress the behavior in responder only mode then the GUI text for the option should state this behavior as well, or maybe we should hide the P2 keep alive options for responder only mode, but that takes away the choice of the user to handle things differently.

Personally I think we should only add some warning text to the option stating that it will force an initiation of the tunnel even if the tunnel is configured for responder only. I don't think we should alter the behavior.

Actions #3

Updated by Marcos M about 2 years ago

It caught me off-guard during testing, so I agree there should at least be some warning text on the option regardless. To me, responder only means that pfSense will never initiate a P1 or P2 (excluding rekeys), so having this option override that seems kind of odd. However, I now agree that it's good to have the flexibility. I propose we only change the text as follows:

From:

Periodically checks to see if the P2 is disconnected and initiates when it is down. Does not send traffic inside the tunnel. Works for VTI and tunnel mode P2 entries. For IKEv2 without split connections, this only needs to be enabled on one P2.

To:

Periodically check this P2 and initiate it if disconnected; does not send traffic inside the tunnel. This check ignores the P1 option "Child SA Start Action" and works for both VTI and tunnel mode P2s. For IKEv2 without split connections, this only needs to be enabled on one P2.

The text Does not send traffic inside the tunnel. is not needed here and is better left to the docs in my opinion. (EDIT: kept text)

Actions #4

Updated by Jim Pingle about 2 years ago

"Does not send traffic inside the tunnel" is a key fact about how this feature operates and differentiates it from the ping host option above it, which does send traffic inside the tunnel. It's important to keep in the description where it is so people know the difference.

Actions #5

Updated by Marcos M about 2 years ago

Ok, edited my previous comment.

Actions #6

Updated by Marcos M 8 months ago

  • Tracker changed from Bug to Todo
  • Subject changed from IPsec keep alive check ignores Child SA Start Action to Clarify that the IPsec keep alive check option ignores Child SA Start Action
  • Status changed from New to Pull Request Review
  • Assignee changed from Viktor Gurov to Marcos M
  • Target version set to 2.8.0
  • Plus Target Version set to 23.09
Actions #7

Updated by Marcos M 8 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

New text is visible in the IPsec P2 edit page.

Actions #9

Updated by Jim Pingle 4 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF