Project

General

Profile

Actions

Bug #6275

closed

Disconnected IPsec phase 2 entries are not shown in IPsec status

Added by Yvan Masson over 5 years ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
04/27/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Affected Version:
Affected Architecture:

Description

Hi,

First, many thanks for making this great tool.

I have an IPsec phase 1 containing three phase 2 entries. These three phase 2 entries use exactly the same settings, except for the "local network" which is different each time (see below).

The problem is: when the third phase 2 entry is down, then it does not appear in "Status -> IPsec". All other phase 2 entries appear fine.

I already tried with no luck:
- deleting and recreating the phase 2 entry
- restarting the service

Using command line, I can connect the phase 2 (ipsec up con 3002). After that, it appears like the others in "Status -> IPsec".

The exact same configuration has been done on other pfSenses 2.1 (I know it is old) with no problem. I will try to upgrade to 3.0 as soon as I can, but I do not when it will be: as the web UI has been reworked, it will probably work as expected.

Do not hesitate to ask if I can provide more information.

Regards,
Yvan

PS: the three phase 2 configuration:

...
<phase2>
    <ikeid>3</ikeid>
    <mode>tunnel</mode>
    <localid>
        <type>opt2</type>
    </localid>
    <remoteid>
        <type>network</type>
        <address>192.168.99.0</address>
        <netbits>24</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>3des</name>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
        <name>cast128</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>1200</lifetime>
    <pinghost/>
    <descr><![CDATA[R&eacute;gion]]></descr>
    <uniqid>5614fa60a3da1</uniqid>
    <reqid>3</reqid>
</phase2>
<phase2>
    <ikeid>3</ikeid>
    <uniqid>572076cd23e33</uniqid>
    <mode>tunnel</mode>
    <reqid>4</reqid>
    <localid>
        <type>lan</type>
    </localid>
    <remoteid>
        <type>network</type>
        <address>192.168.99.0</address>
        <netbits>24</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>3des</name>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
        <name>cast128</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>1200</lifetime>
    <pinghost/>
    <descr><![CDATA[Atos]]></descr>
</phase2>
<phase2>
    <ikeid>3</ikeid>
    <uniqid>572078c3c6414</uniqid>
    <mode>tunnel</mode>
    <reqid>5</reqid>
    <localid>
        <type>opt1</type>
    </localid>
    <remoteid>
        <type>network</type>
        <address>192.168.99.0</address>
        <netbits>24</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>3des</name>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
        <name>cast128</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>1200</lifetime>
    <pinghost/>
    <descr><![CDATA[Atos2]]></descr>
...

Actions #1

Updated by Chris Buechler over 5 years ago

  • Category set to IPsec
  • Status changed from New to Confirmed
  • Affected Version changed from 2.2.6 to 2.2.x

Pre-strongswan, each P2 showed as its own entry on status_ipsec.php, so you could see which defined P2s were up and down, and could hit the connect button for any individual ones. It ought to have same functionality there brought back, that's a regression in status page usability.

Actions #2

Updated by Jim Pingle 5 months ago

  • Subject changed from IPsec phase 2 not shown in "Status -> IPsec" to Disconnected IPsec phase 2 entries are not shown in IPsec status
  • Status changed from Confirmed to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09
  • Affected Version deleted (2.2.x)

This is something I intend to address as a part of the current IPsec changes I'm making.

Actions #3

Updated by Jim Pingle 4 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Max Leighton 4 months ago

Tested in

2.6.0-DEVELOPMENT (amd64)
built on Sat Jul 31 01:15:09 EDT 2021
FreeBSD 12.2-STABLE

I now see the down P2 and have a button to connect it.

Actions #5

Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Resolved
Actions #6

Updated by Jim Pingle about 1 month ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF