https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162018-07-20T22:10:25ZpfSense bugtrackerpfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=371592018-07-20T22:10:25ZAnonymous
<ul><li><strong>Category</strong> set to <i>IPsec</i></li></ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=371712018-07-23T00:01:43ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=371722018-07-23T00:01:53ZJim Thompsonjim@netgate.com
<ul><li><strong>Target version</strong> set to <i>2.4.4</i></li></ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372142018-07-23T13:29:50ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li></ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372212018-07-23T16:10:19ZJim Pingle
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>70</i></li></ul><p>Partially done with <a class="changeset" title="Remove unneeded VTIs in IPsec sync. Issue #8674 Still needs input validation to prevent changes ..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/2c3ac0b381a5d1ed6e81105158fa7cceb682dc95">2c3ac0b381a5d1ed6e81105158fa7cceb682dc95</a> - Still needs some input validation to prevent a user from taking an action that would remove an assigned ipsecXXXX interface.</p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372232018-07-23T16:26:47ZAnonymous
<ul></ul><p>With the patch provided, applied, the behavior appears to be corrected. That is, when you switch back to Tunnel IPv4 from vti, the (ipsec1000) interface is no longer available for assignment and traffic begins to flow again.</p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372362018-07-24T16:10:45ZJim Pingle
<ul></ul><p>I just pushed some extra input validation which does the following:</p>
<ul>
<li>Prevents from switching VTI to another P2 mode with an assigned interface</li>
<li>Prevents disabling a VTI P2 with an assigned interface</li>
<li>Prevents deleting a VTI P2 with an assigned interface</li>
<li>Prevents deleting a P1 which contains a VTI P2 with an assigned interface</li>
</ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372372018-07-24T16:11:15ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Feedback</i></li></ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372382018-07-24T16:11:21ZJim Pingle
<ul><li><strong>% Done</strong> changed from <i>70</i> to <i>100</i></li></ul> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372422018-07-24T23:16:16ZAnonymous
<ul></ul><p>On 2.4.4.a.20180724.1715, unable to switch from VTI to another P2 mode with an assigned interface; unable to disable a VTI P2 with an assigned interface; unable to delete a VTI P2 with an assigned interface; unable to delete a P1 which contains a VTI P2 with an assigned interface. Looks good.</p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372462018-07-25T08:07:52ZJim Pingle
<ul></ul><p>There was one more disable case I missed yesterday: Checking disable in the P2 settings screen instead of using the button on the P1 list. I just pushed a fix for that.</p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372562018-07-25T12:28:34ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Assigned</i></li></ul><p>Looks like it's still possible to disable a P1 containing a VTI P2 which leads to the problem case. That also must be prevented. See <a class="issue tracker-1 status-11 priority-4 priority-default closed" title="Bug: It is possible to disable an IPsec P1 that has a VTI child P2 (Duplicate)" href="https://redmine.pfsense.org/issues/8691">#8691</a></p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372652018-07-25T14:10:07ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Feedback</i></li></ul><p>Applied in changeset <a class="changeset" title="Prevent disabling IPsec P1 with assigned VTI P2. Fixes #8674" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/bb4b80c856c29d5b60f712c23fd61ed928eb7c15">bb4b80c856c29d5b60f712c23fd61ed928eb7c15</a>.</p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372662018-07-25T14:46:39ZAnonymous
<ul></ul><p>On 2.4.4.a.20180725.0317 with patches b66b72d0ae725392b0158de3a0ec0731d71cd793 and cc240e3259d90ed236872de5cba346fe092eda85 applied, the user is unable to disable a Phase one with a Phase two configured with VTI and it's VTI interface assigned. The user is also unable to edit the Phase two configured with VTI and it's interface assigned, to check the box to disable.</p>
<p>Looks good.</p> pfSense - Bug #8674: Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behaviorhttps://redmine.pfsense.org/issues/8674?journal_id=372672018-07-25T14:47:06ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>