https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-09-17T08:20:12ZpfSense bugtrackerpfSense - Bug #9767: Interesting Traffic Will not Initiate an IPsec VTI tunnel.https://redmine.pfsense.org/issues/9767?journal_id=423672019-09-17T08:20:12ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul><p>The behavior is consistent with the config, which is set for <code>auto=start</code>. That connects at startup, but won't reconnect. Unfortunately, setting that to <code>auto=route</code> doesn't appear to work for VTI, which is likely why the backend is set to force that to <code>auto=start</code> for VTI interfaces. I suspect <code>auto=route</code> doesn't work because it relies on trap policies, but VTI cannot not install any policies, so it can't find anything to do.</p>
<p>I have been able to sort of work around this with <code>closeaction=restart</code> but then it always keeps two instances of the child SA open if both sides initiate. Might need a GUI option to control that, and then only set it on one side (like setting one side responder only). When set this way you cannot manually disconnect the tunnel because strongswan will always immediately reestablish the child SA, but that is a good thing in this case.</p>
<p>I'll work on adding a GUI option for the various closeaction values:<br /><pre>
closeaction = none | clear | hold | restart
defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see dpdaction for
meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids checking,
as these events might trigger the defined action when not desired. Prior to 5.1.0, closeaction was
not supported for IKEv1 connections.
</pre></p>
<p>This could be beneficial for other non-VTI cases as well.</p> pfSense - Bug #9767: Interesting Traffic Will not Initiate an IPsec VTI tunnel.https://redmine.pfsense.org/issues/9767?journal_id=423712019-09-17T11:00:07ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Add GUI option for IPsec tunnel closeaction. Fixes #9767" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/85c85e89ec7fad6974cd008d1f25676adf8e288d">85c85e89ec7fad6974cd008d1f25676adf8e288d</a>.</p> pfSense - Bug #9767: Interesting Traffic Will not Initiate an IPsec VTI tunnel.https://redmine.pfsense.org/issues/9767?journal_id=431812019-12-02T15:58:30ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.5.0</i> to <i>2.4.5</i></li></ul> pfSense - Bug #9767: Interesting Traffic Will not Initiate an IPsec VTI tunnel.https://redmine.pfsense.org/issues/9767?journal_id=435182019-12-19T12:44:44ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Close Action option is present in the GUI and is working as expected in 2.4.5.a.20191218.2354</p>