On Fri, Sep 25, 2009 at 10:39 AM, Evgeny Yurchenko wrote:
> Hi all!
>
> probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon
> Aug 31 06:09:28 UTC 2009 it is a problem.
> If you disable IPSec tunnel SPD entries for this tunnel are not removed.
> I was struck by this problem because I use IPSec tunnels automatically
> brought up when primary dedicated links between sites fail/come back up. So
> when primary link comes up and the tunnel is disabled by my script SPD
> entries are still in place, so no traffic goes over primary link.
> I fixed this by
> # diff -ru vpn.inc.20090925.bak vpn.inc
> --- vpn.inc.20090925.bak 2009-09-25 10:30:24.0 -0400
> +++ vpn.inc 2009-09-25 10:31:49.0 -0400
> @@ -1258,7 +1258,7 @@
> $spdconf = "";
>
> /* Delete old SPD policies if there are changes between the old and
> new */
> - if(($tunnel != $oldtunnel) && (is_ipaddr($oldgw))) {
> + if(($tunnel != $oldtunnel) && (is_ipaddr($oldgw)) ||
> $tunnel['disabled']) {
> $spdconf .= "spddelete {$oldsa}/{$oldsn} " .
> "{$oldtunnel['remote-subnet']} any -P out ipsec " .
> "{$oldtunnel['p2']['protocol']}/tunnel/{$oldep}-" .
> @@ -1278,7 +1278,7 @@
> }
> }
> }
> -
> +if (!$tunnel['disabled']){
> /* Create new SPD entries for the new configuration */
> /* zap any existing SA entries beforehand */
> foreach($sad_arr as $sad) {
> @@ -1298,7 +1298,7 @@
> "{$sa}/{$sn} any -P in ipsec " .
> "{$tunnel['p2']['protocol']}/tunnel/{$rgip}-" .
> "{$ep}/unique;\n";
> -
> +}
> log_error("Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP
> '{$oldgw}', current IP '{$rgip}'. Reloading policy");
>
> $now = time();
>
> It is not a problem in 1.2-RELEASE
Thanks, Commited!
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org