Project

General

Profile

Actions
Copy link

Bug #13131

closed

Mobile IPsec clients cannot be manually disconnected from IPsec status screen

Added by Lars Pedersen almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:
All

Description

The red "Disconnect P1" button in status ipsec overview doesn't seem to work anymore in pfsense 2.6.0 for mobile clients. The client is still using the same connection and the established time is continuing.

When the button is clicked the IPSec logs shows:

May 5 14:05:25 charon 10725 05[CFG] vici terminate IKE_SA 'con'

So I think it tries to delete a a connection for IKE_SA named "con", which hardly can be unique.

Files

Download all files
status_ipsec_overview_button_p1_bug.png (23.9 KB) status_ipsec_overview_button_p1_bug.png Lars Pedersen, 05/05/2022 09:03 AM
clipboard-202205060857-lyees.png (31.6 KB) clipboard-202205060857-lyees.png Lars Pedersen, 05/06/2022 01:57 AM
Actions
Copy link
 #1

Updated by Jim Pingle almost 2 years ago

What specific type of mobile IPsec configuration is this? (e.g. IKEv1, xauth, IKEv2, EAP-TLS, EAP-MSCHAPv2, etc)

Actions
Copy link
 #2

Updated by Lars Pedersen almost 2 years ago

It is clients (roadwarriors) using IKEv2 with PSKs

I added a snapshot more. My guess is some regex that returns con from the string "con-mobile #14077"

Actions
Copy link
 #3

Updated by Danilo Zrenjanin almost 2 years ago

Tested:

2.7.0-DEVELOPMENT (amd64)
built on Tue May 10 14:23:11 UTC 2022
FreeBSD 12.3-STABLE

Indeed the IKE_SA doesn't get disconnected upon clicking on the Disconnect P1 button. I am getting the same log as stated in the ticket description.

May 11 10:24:02     charon     80091     15[CFG] vici terminate IKE_SA 'con'

Actions
Copy link
 #4

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.7.0
  • Plus Target Version set to 22.05
Actions
Copy link
 #5

Updated by Jim Pingle almost 2 years ago

  • Subject changed from Disconnect P1 button not working in status IPSec overview to Mobile IPsec clients cannot be manually disconnected from IPsec status screen

I was able to replicate the problem and have a fix.

Actions
Copy link
 #6

Updated by Jim Pingle almost 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #7

Updated by Danilo Zrenjanin almost 2 years ago

  • Status changed from Feedback to Resolved

Tested:

2.7.0-DEVELOPMENT (amd64)
built on Thu May 19 06:14:05 UTC 2022
FreeBSD 12.3-STABLE

It works as expected. I am marking this ticket resolved.

Actions
Copy link

Also available in: Atom PDF