[pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
Hi all! probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon Aug 31 06:09:28 UTC 2009 it is a problem. If you disable IPSec tunnel SPD entries for this tunnel are not removed. I was struck by this problem because I use IPSec tunnels automatically brought up when primary dedicated links between sites fail/come back up. So when primary link comes up and the tunnel is disabled by my script SPD entries are still in place, so no traffic goes over primary link. I fixed this by # diff -ru vpn.inc.20090925.bak vpn.inc --- vpn.inc.20090925.bak2009-09-25 10:30:24.0 -0400 +++ vpn.inc 2009-09-25 10:31:49.0 -0400 @@ -1258,7 +1258,7 @@ $spdconf = ; /* Delete old SPD policies if there are changes between the old and new */ - if(($tunnel != $oldtunnel) (is_ipaddr($oldgw))) { + if(($tunnel != $oldtunnel) (is_ipaddr($oldgw)) || $tunnel['disabled']) { $spdconf .= spddelete {$oldsa}/{$oldsn} . {$oldtunnel['remote-subnet']} any -P out ipsec . {$oldtunnel['p2']['protocol']}/tunnel/{$oldep}- . @@ -1278,7 +1278,7 @@ } } } - +if (!$tunnel['disabled']){ /* Create new SPD entries for the new configuration */ /* zap any existing SA entries beforehand */ foreach($sad_arr as $sad) { @@ -1298,7 +1298,7 @@ {$sa}/{$sn} any -P in ipsec . {$tunnel['p2']['protocol']}/tunnel/{$rgip}- . {$ep}/unique;\n; - +} log_error(Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP '{$oldgw}', current IP '{$rgip}'. Reloading policy); $now = time(); It is not a problem in 1.2-RELEASE Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
On Fri, Sep 25, 2009 at 10:39 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Hi all! probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon Aug 31 06:09:28 UTC 2009 it is a problem. If you disable IPSec tunnel SPD entries for this tunnel are not removed. I was struck by this problem because I use IPSec tunnels automatically brought up when primary dedicated links between sites fail/come back up. So when primary link comes up and the tunnel is disabled by my script SPD entries are still in place, so no traffic goes over primary link. I fixed this by # diff -ru vpn.inc.20090925.bak vpn.inc --- vpn.inc.20090925.bak 2009-09-25 10:30:24.0 -0400 +++ vpn.inc 2009-09-25 10:31:49.0 -0400 @@ -1258,7 +1258,7 @@ $spdconf = ; /* Delete old SPD policies if there are changes between the old and new */ - if(($tunnel != $oldtunnel) (is_ipaddr($oldgw))) { + if(($tunnel != $oldtunnel) (is_ipaddr($oldgw)) || $tunnel['disabled']) { $spdconf .= spddelete {$oldsa}/{$oldsn} . {$oldtunnel['remote-subnet']} any -P out ipsec . {$oldtunnel['p2']['protocol']}/tunnel/{$oldep}- . @@ -1278,7 +1278,7 @@ } } } - +if (!$tunnel['disabled']){ /* Create new SPD entries for the new configuration */ /* zap any existing SA entries beforehand */ foreach($sad_arr as $sad) { @@ -1298,7 +1298,7 @@ {$sa}/{$sn} any -P in ipsec . {$tunnel['p2']['protocol']}/tunnel/{$rgip}- . {$ep}/unique;\n; - +} log_error(Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP '{$oldgw}', current IP '{$rgip}'. Reloading policy); $now = time(); It is not a problem in 1.2-RELEASE Thanks, Commited! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] vlan troubles
I have a vlan (50) setup who's parent interface is Opt2. This parent interface is setup with a static ip of 192.168.1.1/24 and is plugged into a switch A that has that has this port tagged into the specific vlan id of 50 as well. Switch A has a fibre connection to another switch B and the ports are both tagged into vlan 50. Switch B has a non vlan aware computer connected and its port is untagged into vlan 50. From the lan side on a workstation and from the console as well, I can ping 192.168.1.1 but not the IP of the device on the untagged port of Switch B. Opt2 has a default * rule allowing everything. Did I miss something wrt to the vlan setup in pfsense? I did reboot as it mentioned while configuring this. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] vlan troubles
On Fri, Sep 25, 2009 at 6:05 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: I have a vlan (50) setup who's parent interface is Opt2. This parent interface is setup with a static ip of 192.168.1.1/24 and is plugged into a switch A that has that has this port tagged into the specific vlan id of 50 as well. Switch A has a fibre connection to another switch B and the ports are both tagged into vlan 50. Switch B has a non vlan aware computer connected and its port is untagged into vlan 50. From the lan side on a workstation and from the console as well, I can ping 192.168.1.1 but not the IP of the device on the untagged port of Switch B. Opt2 has a default * rule allowing everything. Did I miss something wrt to the vlan setup in pfsense? I did reboot as it mentioned while configuring this. Thanks! jlc Does the vlan interface have an allow rule? You said opt2 does, but what about your vlan interface
RE: [pfSense Support] vlan troubles
Does the vlan interface have an allow rule? You said opt2 does, but what about your vlan interface Yes, only Opt2, I didn't know you could create rules for the vlan interface itself? R u sure you can do this? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org