https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-02-07T04:39:39ZpfSense bugtrackerpfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=587392022-02-07T04:39:39ZViktor Gurov
<ul><li><strong>Assignee</strong> set to <i>Viktor Gurov</i></li></ul><p>fix:<br /><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/599">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/599</a></p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=587422022-02-07T08:21:50ZJim Pingle
<ul></ul><p>That is somewhat by design. It's doing exactly what the user configured it to do, and it's not the same behavior as letting strongswan connect when it starts. Letting this feature issue the command to bring up the P2 will happen after strongswan starts (which may only bring up a single P2, not this specific P2, or only initiates on traffic), and this feature handles it in a slightly different manner so it's possible the user wants it to happen that way.</p>
<p>If we suppress the behavior in responder only mode then the GUI text for the option should state this behavior as well, or maybe we should hide the P2 keep alive options for responder only mode, but that takes away the choice of the user to handle things differently.</p>
<p>Personally I think we should only add some warning text to the option stating that it will force an initiation of the tunnel even if the tunnel is configured for responder only. I don't think we should alter the behavior.</p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=587512022-02-07T11:06:57ZMarcos M
<ul></ul><p>It caught me off-guard during testing, so I agree there should at least be some warning text on the option regardless. To me, responder only means that pfSense will never initiate a P1 or P2 (excluding rekeys), so having this option override that seems kind of odd. However, I now agree that it's good to have the flexibility. I propose we only change the text as follows:</p>
<p>From:</p>
<blockquote>
<p>Periodically checks to see if the P2 is disconnected and initiates when it is down. Does not send traffic inside the tunnel. Works for VTI and tunnel mode P2 entries. For IKEv2 without split connections, this only needs to be enabled on one P2.</p>
</blockquote>
<p>To:</p>
<blockquote>
<p>Periodically check this P2 and initiate it if disconnected; does not send traffic inside the tunnel. This check ignores the P1 option "Child SA Start Action" and works for both VTI and tunnel mode P2s. For IKEv2 without split connections, this only needs to be enabled on one P2.</p>
</blockquote>
<p><del>The text <code>Does not send traffic inside the tunnel.</code> is not needed here and is better left to the docs in my opinion.</del> (EDIT: kept text)</p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=587522022-02-07T11:11:38ZJim Pingle
<ul></ul><p>"Does not send traffic inside the tunnel" is a key fact about how this feature operates and differentiates it from the ping host option above it, which does send traffic inside the tunnel. It's important to keep in the description where it is so people know the difference.</p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=587532022-02-07T11:21:48ZMarcos M
<ul></ul><p>Ok, edited my previous comment.</p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=687282023-07-27T16:50:12ZMarcos M
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Todo</i></li><li><strong>Subject</strong> changed from <i>IPsec keep alive check ignores Child SA Start Action</i> to <i>Clarify that the IPsec keep alive check option ignores Child SA Start Action</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li><li><strong>Assignee</strong> changed from <i>Viktor Gurov</i> to <i>Marcos M</i></li><li><strong>Target version</strong> set to <i>2.8.0</i></li><li><strong>Plus Target Version</strong> set to <i>23.09</i></li></ul><p><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1051">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1051</a></p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=687562023-07-28T16:50:09ZMarcos M
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Clarify IPsec Keep Alive description. Fix #12762" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/56f0a8361c1a73266a93a20b0a3a7566ebfe164a">56f0a8361c1a73266a93a20b0a3a7566ebfe164a</a>.</p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=697282023-09-19T15:06:20ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>New text is visible in the IPsec P2 edit page.</p> pfSense - Todo #12762: Clarify that the IPsec keep alive check option ignores Child SA Start Actionhttps://redmine.pfsense.org/issues/12762?journal_id=706632023-11-06T15:22:40ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.8.0</i> to <i>2.7.1</i></li></ul>