Re: [pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
On Sep 25, 2009, at 7:39, Evgeny Yurchenko wrote: If you disable IPSec tunnel SPD entries for this tunnel are not removed. Thank you for finding this problem and posting it to the list. I was migrating an ipsec VPN to OpenVPN yesterday and spent hours unable to get it to work properly. When browsing the list tonight I saw your mail and got the OpenVPN link working in 10 seconds, yay. - ask - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
Hi all!
probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on
Mon Aug 31 06:09:28 UTC 2009 it is a problem.
If you disable IPSec tunnel SPD entries for this tunnel are not removed.
I was struck by this problem because I use IPSec tunnels automatically
brought up when primary dedicated links between sites fail/come back up.
So when primary link comes up and the tunnel is disabled by my script
SPD entries are still in place, so no traffic goes over primary link.
I fixed this by
# diff -ru vpn.inc.20090925.bak vpn.inc
--- vpn.inc.20090925.bak2009-09-25 10:30:24.0 -0400
+++ vpn.inc 2009-09-25 10:31:49.0 -0400
@@ -1258,7 +1258,7 @@
$spdconf = ;
/* Delete old SPD policies if there are changes between the old
and new */
- if(($tunnel != $oldtunnel) (is_ipaddr($oldgw))) {
+ if(($tunnel != $oldtunnel) (is_ipaddr($oldgw)) ||
$tunnel['disabled']) {
$spdconf .= spddelete {$oldsa}/{$oldsn} .
{$oldtunnel['remote-subnet']} any -P out ipsec .
{$oldtunnel['p2']['protocol']}/tunnel/{$oldep}- .
@@ -1278,7 +1278,7 @@
}
}
}
-
+if (!$tunnel['disabled']){
/* Create new SPD entries for the new configuration */
/* zap any existing SA entries beforehand */
foreach($sad_arr as $sad) {
@@ -1298,7 +1298,7 @@
{$sa}/{$sn} any -P in ipsec .
{$tunnel['p2']['protocol']}/tunnel/{$rgip}- .
{$ep}/unique;\n;
-
+}
log_error(Reloading IPsec tunnel '{$tunnel['descr']}'. Previous
IP '{$oldgw}', current IP '{$rgip}'. Reloading policy);
$now = time();
It is not a problem in 1.2-RELEASE
Eugene
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
On Fri, Sep 25, 2009 at 10:39 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote:
Hi all!
probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon
Aug 31 06:09:28 UTC 2009 it is a problem.
If you disable IPSec tunnel SPD entries for this tunnel are not removed.
I was struck by this problem because I use IPSec tunnels automatically
brought up when primary dedicated links between sites fail/come back up. So
when primary link comes up and the tunnel is disabled by my script SPD
entries are still in place, so no traffic goes over primary link.
I fixed this by
# diff -ru vpn.inc.20090925.bak vpn.inc
--- vpn.inc.20090925.bak 2009-09-25 10:30:24.0 -0400
+++ vpn.inc 2009-09-25 10:31:49.0 -0400
@@ -1258,7 +1258,7 @@
$spdconf = ;
/* Delete old SPD policies if there are changes between the old and
new */
- if(($tunnel != $oldtunnel) (is_ipaddr($oldgw))) {
+ if(($tunnel != $oldtunnel) (is_ipaddr($oldgw)) ||
$tunnel['disabled']) {
$spdconf .= spddelete {$oldsa}/{$oldsn} .
{$oldtunnel['remote-subnet']} any -P out ipsec .
{$oldtunnel['p2']['protocol']}/tunnel/{$oldep}- .
@@ -1278,7 +1278,7 @@
}
}
}
-
+if (!$tunnel['disabled']){
/* Create new SPD entries for the new configuration */
/* zap any existing SA entries beforehand */
foreach($sad_arr as $sad) {
@@ -1298,7 +1298,7 @@
{$sa}/{$sn} any -P in ipsec .
{$tunnel['p2']['protocol']}/tunnel/{$rgip}- .
{$ep}/unique;\n;
-
+}
log_error(Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP
'{$oldgw}', current IP '{$rgip}'. Reloading policy);
$now = time();
It is not a problem in 1.2-RELEASE
Thanks, Commited!
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
