Bug #13375
open
Mixing VTI and disabled Tunnel Mode phase 2 entries on the same phase 1 breaks VTI gateway monitoring
Added by Kris Phillips almost 2 years ago.
Updated 17 days ago.
Affected Architecture:
All
Description
If a user disables all of their tunnel mode Phase 2 entries to migrate to VTI, rather than deleting them, the VTI gateway will always be down even with a dpinger restart or restarting the entire firewall. After deleting the tunnel mode Phase 2s and restarting the IPSec service, the VTI tunnel will start passing traffic.
Files
It could be better to add restriction when creating VTI to delete tunnel mode Phase 2 entries.
- Project changed from pfSense Plus to pfSense
- Subject changed from Mixing VTI and disabled Tunnel Mode Phase 2s Causes VTI gateway to break to Mixing VTI and disabled Tunnel Mode phase 2 entries on the same phase 1 breaks VTI gateway monitoring
- Category changed from IPsec to IPsec
- Affected Plus Version deleted (
22.05)
It isn't valid to have both types on the same P1. I thought we already had checks that prevented ending up with the configuration in that state to start with, though it's possible that the validation isn't checking disabled P2s when it prevents mixing them.
Jim Pingle wrote in #note-2:
It isn't valid to have both types on the same P1. I thought we already had checks that prevented ending up with the configuration in that state to start with, though it's possible that the validation isn't checking disabled P2s when it prevents mixing them.
If there is checks for active Phase 2s configured with a mixture of VTI and Tunnel mode, it's not working. See attached freshly created and completely enabled (never disabled).
I created a test Phase 1 and then created both a tunnel mode Phase 2 and a VTI Phase 2 and the webConfigurator didn't complain at all.
This seems to affect 22.11 builds as well.
Confirmed for 23.01 builds too.
Tested this on 23.09.1. This is still present.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 