Bug #8674
closed
Switching IPsec phase one to vti from Tunnel IPv4 and back yields unexpected behavior
100%
Description
On 2.4.4.a.20180720.1418, create a site-to-site IPsec tunnel, with Tunnel IPv4 selected as the mode for the phase two. After saving and applying changes, confirm the tunnel established correctly.
Add a rule on the IPsec interface to allow any traffic.
Initiate a ping across the tunnel from a host on one side, to the firewall itself or another host on the other side. The ping will succeed.
Change the phase two's mode to vti, save, apply changes, stop and start the service.
The pings will fail. (as expected)
Visit Interfaces > Assignments and see that the ipsec1000 interface is ready to be assigned. Do not assign it.
Go back to the IPsec tunnel and change the phase two mode back to Tunnel IPv4, save, apply changes, stop and start the service.
The pings will continue to fail, despite the phase two mode being changed back to Tunnel IPv4 from vti.
Visit Interfaces > Assignments and see that the ipsec1000 interface is still ready to be assigned. Although it should no longer be available for assignment since the phase two mode is no longer vti.
Go back to the IPsec tunnel and delete it.
Go back to the Interfaces > Assignment page and the ipsec1000 interface is still ready to be assigned.
Recreating the tunnel has no effect, the phase one and phase two will come up, traffic will come in from either side but it will not pass through pfSense.
Updated by 
Updated by