Bug #13375
open
Mixing VTI and disabled Tunnel Mode phase 2 entries on the same phase 1 breaks VTI gateway monitoring
0%
Description
If a user disables all of their tunnel mode Phase 2 entries to migrate to VTI, rather than deleting them, the VTI gateway will always be down even with a dpinger restart or restarting the entire firewall. After deleting the tunnel mode Phase 2s and restarting the IPSec service, the VTI tunnel will start passing traffic.
Files
Updated by Alhusein Zawi over 2 years ago
It could be better to add restriction when creating VTI to delete tunnel mode Phase 2 entries.
Updated by Jim Pingle over 2 years ago
- Project changed from pfSense Plus to pfSense
- Subject changed from Mixing VTI and disabled Tunnel Mode Phase 2s Causes VTI gateway to break to Mixing VTI and disabled Tunnel Mode phase 2 entries on the same phase 1 breaks VTI gateway monitoring
- Category changed from IPsec to IPsec
- Affected Plus Version deleted (
22.05)
It isn't valid to have both types on the same P1. I thought we already had checks that prevented ending up with the configuration in that state to start with, though it's possible that the validation isn't checking disabled P2s when it prevents mixing them.
Updated by Kris Phillips over 2 years ago
Jim Pingle wrote in #note-2:
It isn't valid to have both types on the same P1. I thought we already had checks that prevented ending up with the configuration in that state to start with, though it's possible that the validation isn't checking disabled P2s when it prevents mixing them.
If there is checks for active Phase 2s configured with a mixture of VTI and Tunnel mode, it's not working. See attached freshly created and completely enabled (never disabled).
I created a test Phase 1 and then created both a tunnel mode Phase 2 and a VTI Phase 2 and the webConfigurator didn't complain at all.
Updated by Kris Phillips over 2 years ago
This seems to affect 22.11 builds as well.
Updated by Kris Phillips 9 months ago
Tested this on 23.09.1. This is still present.