Project

General

Profile

Actions

Bug #3011

closed

Mobile client disconnect but SA not flushing

Added by luca cuzzolin over 11 years ago. Updated over 11 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
-
Target version:
-
Start date:
05/29/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

2.1 - 29 may snapshot.
I use a mutual psk+ xauth for mobile clients with Policy Generation on, Proposal Checking obey, nat trasversal force, DPD on.
It does not matter how i change the options when a mobile client disconnects racoon does not flush SA.

This is with racoonctl show-event when a client connects

Phase 1 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 mode configuration done : 80.22.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 2 established : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726

This is with racoonctl show-event when a client disconnects

Event 262: 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726
Phase 1 deleted : 80.xxx.xxx.xxx4500 -> 95.xxx.xxx.xxx36726

setkey -D has steel the SA

80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any .........

80.xxx.xxx.xxx4500 95.xxx.xxx.xxx54706
esp-udp mode=any

I note in /etc/inc/ipsec.inc there is a function that calls mobile clients when disconnects ( ithink, i'm not too familiar with pfsense) :

function ipsec_disconnect_mobile($username) {
if (empty($username))
return false;
exec("/usr/local/sbin/racoonctl logout-user " . escapeshellarg($username));
}

when i try to logout the user with racoonctl like in function doen't flush SA

If i flush with setkey -F everything is working with next reconnection but only for one connection.

Actions

Also available in: Atom PDF