Bug #5699
closed
Upgraded systems with IPsec disabled globally will have it enabled
100%
Description
The removal of the global enable/disable IPsec setting means upgraded systems where it's disabled will end up with their formerly-disabled configs activated. Already has bitten one snapshot user, likely many, many others will be impacted.
I think it was misguided to remove the global enable/disable as people find it useful. It either needs to come back, or upon upgrade, add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled.
Updated by Jim Thompson almost 9 years ago
IPSec is on by default in -CURRENT now.
We have that patch in our tree, so IPSec is on by default in pfSense.
Why turn it off?
Updated by Phillip Davis almost 9 years ago
I would think that in production there is no need to have a global switch that disables all IPsec. I guess that was most useful when testing/playing/setting up new stuff so you can quickly disable the effect of what you were doing without actually deleting all the settings.
"add config upgrade code so every config that has the global option disabled has all of its configured P1s disabled" seems to me like all that is needed - that way people who have existing systems where they played with IPsec somewhere in the past, have a bunch of settings in the config, and had used the global IPsec disable switch to make those settings ineffective, will upgrade and each IPsec P1 configuration will then be disabled.
Updated by Renato Botelho almost 9 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 33baf237b1e09a6b15361e28466a5a94af95b297.
Updated by Chris Buechler almost 9 years ago
- Status changed from Feedback to Resolved
There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.
This works fine now.
Updated by Jim Pingle almost 9 years ago
Chris Buechler wrote:
There are instances where people want to disable IPsec to switch to a diff VPN or private WAN but leave its config in place, though it's easy enough to just disable P1s if people want, generally that's never done where there are a lot of them.
This works fine now.
We have checkboxes for mass actions on P1s, and each row has a 'disable' button already. To cover that latter case we could have a mass disable/enable button next to the "Delete P1s" button.