Project

General

Profile

Actions

Bug #360

closed

Editing P2 leaves old SPD entry

Added by Chris Buechler almost 15 years ago. Updated over 14 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
02/14/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

After editing a P2 entry, the as-edited P2 is added to the SPD, but the former P2's SPD entry is also retained. For an example see the attached screenshot. There is only one P1 with a single P2. The P2 has been edited 3 times, every edit of it is there.


Files

p2.png (17.2 KB) p2.png Chris Buechler, 02/14/2010 01:29 AM
Actions #1

Updated by Pierre POMES almost 15 years ago

Probably the same issue as #137.

"/usr/local/sbin/racoonctl -s /var/run/racoon.sock reload-config" does not work because the admin socket is in /var/db/racoon (error returned is "bad file descriptor").

However, the /var/etc/racoon.conf file specifies /var/run/racoon.sock, but it seems to be ignored when racoon starts:

  1. racoon -F -d -vvvvv -f /var/etc/racoon.conf
    Foreground mode.
    2010-02-16 21:47:22: INFO: (#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
    2010-02-16 21:47:22: INFO:
    (#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
    2010-02-16 21:47:22: INFO: Reading configuration from "/var/etc/racoon.conf"
    2010-02-16 21:47:22: DEBUG: call pfkey_send_register for AH
    2010-02-16 21:47:22: DEBUG: call pfkey_send_register for ESP
    2010-02-16 21:47:22: DEBUG: call pfkey_send_register for IPCOMP
    2010-02-16 21:47:22: DEBUG: open /var/db/racoon/racoon.sock as racoon management.

A quick fix could be to revert to the pfSense 1.2.3 mode, and store the socket in /var/db/racoon/racoon.sock ?

I did not change it because I don't know why it has been changed in 2.0. Any ideas ?

Actions #2

Updated by Chris Buechler almost 15 years ago

Ah yeah, that reminds me, I think Seth ran into this the last time we were testing ipsec-tools 0.8, it ignores that. We'll need to report that upstream.

Actions #3

Updated by Pierre POMES almost 15 years ago

In the meanwhile, would you like I revert it to the "1.2.3" mode ? And create a new redmine ticket to change it back when ipsec-tools will be patched ?

Actions #4

Updated by Chris Buechler almost 15 years ago

that should be fine for now, thanks

Actions #5

Updated by Pierre POMES almost 15 years ago

  • Assignee set to Pierre POMES
Actions #6

Updated by Pierre POMES almost 15 years ago

  • Status changed from New to Feedback

Same as #137 (fixed in changeset 98718ac1be2b0004254cf0ef0104a579871d94db)

Actions #7

Updated by Pierre POMES almost 15 years ago

  • % Done changed from 0 to 100
Actions #8

Updated by Chris Buechler over 14 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF