Added by Marcos M almost 3 years ago. Updated about 1 year ago.
100%
Description
The option Enable periodic keep alive check on the P2 configuration does not take into account the P1 option Child SA Start Action. When this P1 option is set to None (Responder Only), the keep alive check should not initiate the child SA.
Updated by Viktor Gurov almost 3 years ago
Updated by Jim Pingle almost 3 years ago
That is somewhat by design. It's doing exactly what the user configured it to do, and it's not the same behavior as letting strongswan connect when it starts. Letting this feature issue the command to bring up the P2 will happen after strongswan starts (which may only bring up a single P2, not this specific P2, or only initiates on traffic), and this feature handles it in a slightly different manner so it's possible the user wants it to happen that way.
If we suppress the behavior in responder only mode then the GUI text for the option should state this behavior as well, or maybe we should hide the P2 keep alive options for responder only mode, but that takes away the choice of the user to handle things differently.
Personally I think we should only add some warning text to the option stating that it will force an initiation of the tunnel even if the tunnel is configured for responder only. I don't think we should alter the behavior.
Updated by Marcos M almost 3 years ago
It caught me off-guard during testing, so I agree there should at least be some warning text on the option regardless. To me, responder only means that pfSense will never initiate a P1 or P2 (excluding rekeys), so having this option override that seems kind of odd. However, I now agree that it's good to have the flexibility. I propose we only change the text as follows:
From:
Periodically checks to see if the P2 is disconnected and initiates when it is down. Does not send traffic inside the tunnel. Works for VTI and tunnel mode P2 entries. For IKEv2 without split connections, this only needs to be enabled on one P2.
To:
Periodically check this P2 and initiate it if disconnected; does not send traffic inside the tunnel. This check ignores the P1 option "Child SA Start Action" and works for both VTI and tunnel mode P2s. For IKEv2 without split connections, this only needs to be enabled on one P2.
The text (EDIT: kept text)Does not send traffic inside the tunnel. is not needed here and is better left to the docs in my opinion.
Updated by Jim Pingle almost 3 years ago
"Does not send traffic inside the tunnel" is a key fact about how this feature operates and differentiates it from the ping host option above it, which does send traffic inside the tunnel. It's important to keep in the description where it is so people know the difference.
Updated by Marcos M over 1 year ago
Updated by Marcos M over 1 year ago
Applied in changeset 56f0a8361c1a73266a93a20b0a3a7566ebfe164a.
Updated by Jim Pingle about 1 year ago
New text is visible in the IPsec P2 edit page.
Updated by Jim Pingle about 1 year ago