Bug #2719: Deleting IPsec tunnel does not remove SPDs - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #2719

closed

Deleting IPsec tunnel does not remove SPDs

Added by Jim Pingle over 11 years ago. Updated over 10 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

2.1

Start date:

12/13/2012

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.1

Affected Architecture:

All

Description

When you remove an IPsec tunnel, Phase 1 or Phase 2, its SPDs are left active.

Thus if you are moving from IPsec to something else, you manually have to clear the associated SPDs for traffic to flow again, or restart racoon/flush via setkey.

Logically it seems like this should result in:
When removing a Phase 2, if the Phase 2 was enabled, the SPD entries matching that phase 2 should be removed.
When removing a Phase 1, all SPDs matching its former enabled Phase 2 entries should be removed.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Anonymous over 11 years ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset 6fd8526b6b051529642500a38e272d4711bc6a33.

Actions

Copy link

Updated by Anonymous over 11 years ago

Applied in changeset fc8c7084e9ae69dce7f000dbf9c459397ea2b04c.

Actions

Copy link

Updated by Renato Botelho about 11 years ago

Status changed from Feedback to Resolved

Actions

Copy link

Updated by Grischa Zengel over 10 years ago

The problem still exists.

After deleting IPsec tunnels routing didn't work for these subnets.
I first deleted phase2 and than phase1 and routing over openvpn didn't work until reboot.

Actions

Copy link

Updated by Renato Botelho over 10 years ago

Status changed from Resolved to New

Actions

Copy link

Updated by Renato Botelho over 10 years ago

Status changed from New to Feedback

Grischa Zengel wrote:

The problem still exists.

After deleting IPsec tunnels routing didn't work for these subnets.
I first deleted phase2 and than phase1 and routing over openvpn didn't work until reboot.

When you delete the IPSec tunnel, did you check and confirm that SPD is still there?

Actions

Copy link

Updated by Grischa Zengel over 10 years ago

I didn't check if the SPDs still be there but I had the conclusion of this.
From both sides I could ping both ends of openvpn gateways because I didn't use these IPs in phase2.
The IPs I used in phase2 before didn't answer until reboot.

I was in hurry to bring up the tunnel again so I hadn't time to investigate.

Actions

Copy link

Updated by Grischa Zengel over 10 years ago

Now I checked it:
If I disable IPsec phase1 the ping goes thru openvpn.
If I only delete phase2 the SPD still exists and no ping over openvpn is possible.

Last time I deleted first phase2 and than phase1, so it didn't know to delete the SPDs.

Actions

Copy link

Updated by Renato Botelho over 10 years ago

Grischa Zengel wrote:

Now I checked it:
If I disable IPsec phase1 the ping goes thru openvpn.
If I only delete phase2 the SPD still exists and no ping over openvpn is possible.

Last time I deleted first phase2 and than phase1, so it didn't know to delete the SPDs.

Could you paste the output of 'setkey -DP' after you delete phase2?

Actions

Copy link

#10

Updated by Chris Buechler over 10 years ago

Status changed from Feedback to New

this works with one exception, if you disable a P2 entry, its SPD is not removed. Deleting a P2 or P1 works fine, and disabling the P1 also correctly removes those SPD entries.

Actions

Copy link

#11