Project

General

Profile

Actions

Bug #2303

closed

SPD on secondary not cleared after config sync

Added by Chris Buechler almost 13 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
XMLRPC
Target version:
Start date:
03/20/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

When IPsec is disabled on the primary, it syncs over and disables it on the secondary, but it leaves the SPD in place. The SPD and SAD have to be cleared on the secondary in such situations, same as they are on the primary.

Actions #1

Updated by Erick Tyack over 12 years ago

pfSense is our primary gateway running behind a telco provided MPLS network. In the event we lose a connection at one of our remote locations, we bring an IPSec VPN up on a backup Internet connection. Once the MPLS network is restored, we tear down the IPSec VPN tunnel. Leaving the SPD in place causes a headache with routing until SPD's are manually deleted. Is is possible to bump this bug up in priority? Thanks.

Actions #2

Updated by Renato Botelho almost 12 years ago

  • Target version set to 2.1
Actions #3

Updated by Renato Botelho almost 12 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by luca cuzzolin over 11 years ago

I have same problem with 2.0 and 2.1 - 29 may snapshot.
I use a mutual psk+ xauth for mobile clients with Policy Generation on, Proposal Checking obey, nat trasversal force, DPD on.
It does not matter how i change the options when a mobile client disconnects racoon does not flush SA.

This is with racoonctl show-event when a client connects

Phase 1 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 2 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726

This is with racoonctl show-event when a client disconnects

Event 262: 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 deleted : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726

setkey -D has steel the SA

80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any .........

80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any

I note in /etc/inc/ipsec.inc there is a function that calls mobile clients when disconnects ( ithink, i'm not too familiar with pfsense) :

function ipsec_disconnect_mobile($username) {
if (empty($username))
return false;
exec("/usr/local/sbin/racoonctl logout-user " . escapeshellarg($username));
}

when i try to logout the user with racoonctl like in function doen't flush SA

If i flush with setkey -F everything is working with next reconnection but only for one connection.

Actions #5

Updated by Renato Botelho over 11 years ago

  • Status changed from Feedback to New
Actions #6

Updated by Renato Botelho over 11 years ago

  • Status changed from New to Feedback

It's not related to this issue, if you still have a problem please open a ticket for it.

Actions #7

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to Resolved

works

Actions #8

Updated by Jim Pingle over 5 years ago

  • Category changed from 62 to XMLRPC
Actions

Also available in: Atom PDF