Project

General

Profile

Bug #2303

SPD on secondary not cleared after config sync

Added by Chris Buechler about 7 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Config sync
Target version:
Start date:
03/20/2012
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

When IPsec is disabled on the primary, it syncs over and disables it on the secondary, but it leaves the SPD in place. The SPD and SAD have to be cleared on the secondary in such situations, same as they are on the primary.

Associated revisions

Revision d026178f (diff)
Added by Renato Botelho over 6 years ago

Make sure we create / delete SPDs and SADs on secondary node when it changes on primary. Fixes #2303

History

#1 Updated by Erick Tyack almost 7 years ago

pfSense is our primary gateway running behind a telco provided MPLS network. In the event we lose a connection at one of our remote locations, we bring an IPSec VPN up on a backup Internet connection. Once the MPLS network is restored, we tear down the IPSec VPN tunnel. Leaving the SPD in place causes a headache with routing until SPD's are manually deleted. Is is possible to bump this bug up in priority? Thanks.

#2 Updated by Renato Botelho over 6 years ago

  • Target version set to 2.1

#3 Updated by Renato Botelho over 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by luca cuzzolin about 6 years ago

I have same problem with 2.0 and 2.1 - 29 may snapshot.
I use a mutual psk+ xauth for mobile clients with Policy Generation on, Proposal Checking obey, nat trasversal force, DPD on.
It does not matter how i change the options when a mobile client disconnects racoon does not flush SA.

This is with racoonctl show-event when a client connects

Phase 1 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 2 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726

This is with racoonctl show-event when a client disconnects

Event 262: 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 deleted : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726

setkey -D has steel the SA

80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any .........

80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any

I note in /etc/inc/ipsec.inc there is a function that calls mobile clients when disconnects ( ithink, i'm not too familiar with pfsense) :

function ipsec_disconnect_mobile($username) {
if (empty($username))
return false;
exec("/usr/local/sbin/racoonctl logout-user " . escapeshellarg($username));
}

when i try to logout the user with racoonctl like in function doen't flush SA

If i flush with setkey -F everything is working with next reconnection but only for one connection.

#5 Updated by Renato Botelho almost 6 years ago

  • Status changed from Feedback to New

#6 Updated by Renato Botelho almost 6 years ago

  • Status changed from New to Feedback

It's not related to this issue, if you still have a problem please open a ticket for it.

#7 Updated by Chris Buechler almost 6 years ago

  • Status changed from Feedback to Resolved

works

Also available in: Atom PDF