Bug #14738
closed
IPsec restart in CARP event scripts does not check VIP properly and never runs
100%
Description
The IPsec interface VIP check in rc.carpmaster and rc.carpbackup is not checking the VIP presence properly and thus can never trigger.
To me, I have a fix ready and tested.
Updated by Jim Pingle 8 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset fcd5e10a67ac9a67cc7116ea1a314aaea225c699.
Updated by Georgiy Tyutyunnik 8 months ago
Reproduced the issue on
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT
IPSec correctly initiates if I source the same IPSec tunnel from any VIP type other than CARP.
patch didn't fix the IPSec issue in my setup unfortunately
Updated by Jim Pingle 8 months ago
Georgiy Tyutyunnik wrote in #note-2:
Reproduced the issue on
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENTIPSec correctly initiates if I source the same IPSec tunnel from any VIP type other than CARP.
patch didn't fix the IPSec issue in my setup unfortunately
That may not be an accurate test of this fix. When using a CARP VIP, check the IPsec configuration while in master and backup states. If the config is different (e.g. when in backup mode it is responder only, but not when it's in master mode), then this patch is doing all it can.
It can still take several minutes for an IPsec failover to occur no matter what the settings are, depending on DPD timing and so on.
Updated by Georgiy Tyutyunnik 8 months ago
I stand corrected after my config's review - patch is working