Bug #2303
closedSPD on secondary not cleared after config sync
100%
Description
When IPsec is disabled on the primary, it syncs over and disables it on the secondary, but it leaves the SPD in place. The SPD and SAD have to be cleared on the secondary in such situations, same as they are on the primary.
Updated by Erick Tyack over 12 years ago
pfSense is our primary gateway running behind a telco provided MPLS network. In the event we lose a connection at one of our remote locations, we bring an IPSec VPN up on a backup Internet connection. Once the MPLS network is restored, we tear down the IPSec VPN tunnel. Leaving the SPD in place causes a headache with routing until SPD's are manually deleted. Is is possible to bump this bug up in priority? Thanks.
Updated by Renato Botelho almost 12 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset d026178fa695f607f3b490978a9f4113fa7b111d.
Updated by luca cuzzolin over 11 years ago
I have same problem with 2.0 and 2.1 - 29 may snapshot.
I use a mutual psk+ xauth for mobile clients with Policy Generation on, Proposal Checking obey, nat trasversal force, DPD on.
It does not matter how i change the options when a mobile client disconnects racoon does not flush SA.
This is with racoonctl show-event when a client connects
Phase 1 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 2 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
This is with racoonctl show-event when a client disconnects
Event 262: 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 deleted : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
setkey -D has steel the SA
80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any .........
80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any
I note in /etc/inc/ipsec.inc there is a function that calls mobile clients when disconnects ( ithink, i'm not too familiar with pfsense) :
function ipsec_disconnect_mobile($username) {
if (empty($username))
return false;
exec("/usr/local/sbin/racoonctl logout-user " . escapeshellarg($username));
}
when i try to logout the user with racoonctl like in function doen't flush SA
If i flush with setkey -F everything is working with next reconnection but only for one connection.
Updated by Renato Botelho over 11 years ago
- Status changed from New to Feedback
It's not related to this issue, if you still have a problem please open a ticket for it.