Project

General

Profile

Bug #5699

Upgraded systems with IPsec disabled globally will have it enabled

Added by Chris Buechler over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
12/24/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3
Affected Architecture:

Description

The removal of the global enable/disable IPsec setting means upgraded systems where it's disabled will end up with their formerly-disabled configs activated. Already has bitten one snapshot user, likely many, many others will be impacted.

I think it was misguided to remove the global enable/disable as people find it useful. It either needs to come back, or upon upgrade, add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled.

Associated revisions

Revision 33baf237 (diff)
Added by Renato Botelho over 3 years ago

Disable all IPsec P1 entries when old version has IPsec globally disabled. Fixes #5699

History

#1 Updated by Jim Thompson over 3 years ago

IPSec is on by default in -CURRENT now.

We have that patch in our tree, so IPSec is on by default in pfSense.

Why turn it off?

#2 Updated by Jim Thompson over 3 years ago

  • Assignee set to Chris Buechler

#3 Updated by Phillip Davis over 3 years ago

I would think that in production there is no need to have a global switch that disables all IPsec. I guess that was most useful when testing/playing/setting up new stuff so you can quickly disable the effect of what you were doing without actually deleting all the settings.

"add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled" seems to me like all that is needed - that way people who have existing systems where they played with IPsec somewhere in the past, have a bunch of settings in the config, and had used the global IPsec disable switch to make those settings ineffective, will upgrade and each IPsec P1 configuration will then be disabled.

#4 Updated by Renato Botelho over 3 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#5 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.

This works fine now.

#6 Updated by Jim Pingle over 3 years ago

Chris Buechler wrote:

There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.

This works fine now.

We have checkboxes for mass actions on P1s, and each row has a 'disable' button already. To cover that latter case we could have a mass disable/enable button next to the "Delete P1s" button.

Also available in: Atom PDF