Bug #3011
closedMobile client disconnect but SA not flushing
0%
Description
2.1 - 29 may snapshot.
I use a mutual psk+ xauth for mobile clients with Policy Generation on, Proposal Checking obey, nat trasversal force, DPD on.
It does not matter how i change the options when a mobile client disconnects racoon does not flush SA.
This is with racoonctl show-event when a client connects
Phase 1 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 2 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
This is with racoonctl show-event when a client disconnects
Event 262: 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 deleted : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
setkey -D has steel the SA
80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any .........
80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any
I note in /etc/inc/ipsec.inc there is a function that calls mobile clients when disconnects ( ithink, i'm not too familiar with pfsense) :
function ipsec_disconnect_mobile($username) {
if (empty($username))
return false;
exec("/usr/local/sbin/racoonctl logout-user " . escapeshellarg($username));
}
when i try to logout the user with racoonctl like in function doen't flush SA
If i flush with setkey -F everything is working with next reconnection but only for one connection.