Bug #5699
closed
Upgraded systems with IPsec disabled globally will have it enabled
Added by Chris Buechler almost 9 years ago.
Updated almost 9 years ago.
Description
The removal of the global enable/disable IPsec setting means upgraded systems where it's disabled will end up with their formerly-disabled configs activated. Already has bitten one snapshot user, likely many, many others will be impacted.
I think it was misguided to remove the global enable/disable as people find it useful. It either needs to come back, or upon upgrade, add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled.
IPSec is on by default in -CURRENT now.
We have that patch in our tree, so IPSec is on by default in pfSense.
Why turn it off?
- Assignee set to Chris Buechler
I would think that in production there is no need to have a global switch that disables all IPsec. I guess that was most useful when testing/playing/setting up new stuff so you can quickly disable the effect of what you were doing without actually deleting all the settings.
"add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled" seems to me like all that is needed - that way people who have existing systems where they played with IPsec somewhere in the past, have a bunch of settings in the config, and had used the global IPsec disable switch to make those settings ineffective, will upgrade and each IPsec P1 configuration will then be disabled.
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.
This works fine now.
Chris Buechler wrote:
There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.
This works fine now.
We have checkboxes for mass actions on P1s, and each row has a 'disable' button already. To cover that latter case we could have a mass disable/enable button next to the "Delete P1s" button.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by