Bug #14738
closed
IPsec restart in CARP event scripts does not check VIP properly and never runs
Added by Jim Pingle over 1 year ago.
Updated about 1 year ago.
Plus Target Version:
23.09
Description
The IPsec interface VIP check in rc.carpmaster and rc.carpbackup is not checking the VIP presence properly and thus can never trigger.
To me, I have a fix ready and tested.
- Status changed from New to Feedback
- % Done changed from 0 to 100
Reproduced the issue on
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT
IPSec correctly initiates if I source the same IPSec tunnel from any VIP type other than CARP.
patch didn't fix the IPSec issue in my setup unfortunately
Georgiy Tyutyunnik wrote in #note-2:
Reproduced the issue on
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT
IPSec correctly initiates if I source the same IPSec tunnel from any VIP type other than CARP.
patch didn't fix the IPSec issue in my setup unfortunately
That may not be an accurate test of this fix. When using a CARP VIP, check the IPsec configuration while in master and backup states. If the config is different (e.g. when in backup mode it is responder only, but not when it's in master mode), then this patch is doing all it can.
It can still take several minutes for an IPsec failover to occur no matter what the settings are, depending on DPD timing and so on.
I stand corrected after my config's review - patch is working
- Status changed from Feedback to Resolved
- Target version changed from 2.8.0 to 2.7.1
Also available in: Atom
PDF
Updated by 
Updated by