Project

General

Profile

Actions
Copy link

Bug #7622

closed

Don't include disabled ipsec phase2 entries on pf table vpn_networks

Added by Spike R.D. almost 7 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Renato Botelho
Category:
IPsec
Target version:
2.4.5-p1
Start date:
06/03/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.4
Affected Architecture:

Description

PF Table vpn_networks is populated with disabled Phase 2 entries.

This may lead to underperformance if
(a) You have IPSec MSS clamping turned on
(b) The disabled phase 2 network or a subnetwork is reachable by pfsense by other path (directly connected, other VPN)
(c) MSS on this path is > IPSec MSS clamping value

Workaround:
-Delete the phase 2 instead of just disabling it

Actions
Copy link
 #2

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions
Copy link
 #3

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions
Copy link
 #4

Updated by Viktor Gurov about 4 years ago

  • Status changed from Feedback to Resolved

tested on 2.5.0.a.20200319.0930

now it's OK

Actions
Copy link
 #5

Updated by Jim Pingle almost 4 years ago

  • Target version changed from 2.5.0 to 2.4.5-p1
Actions
Copy link

Also available in: Atom PDF