On Fri, Sep 25, 2009 at 10:39 AM, Evgeny Yurchenko <[email protected]> wrote: > Hi all! > > probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon > Aug 31 06:09:28 UTC 2009 it is a problem. > If you disable IPSec tunnel SPD entries for this tunnel are not removed. > I was struck by this problem because I use IPSec tunnels automatically > brought up when primary dedicated links between sites fail/come back up. So > when primary link comes up and the tunnel is disabled by my script SPD > entries are still in place, so no traffic goes over primary link. > I fixed this by > # diff -ru vpn.inc.20090925.bak vpn.inc > --- vpn.inc.20090925.bak 2009-09-25 10:30:24.000000000 -0400 > +++ vpn.inc 2009-09-25 10:31:49.000000000 -0400 > @@ -1258,7 +1258,7 @@ > $spdconf = ""; > > /* Delete old SPD policies if there are changes between the old and > new */ > - if(($tunnel != $oldtunnel) && (is_ipaddr($oldgw))) { > + if(($tunnel != $oldtunnel) && (is_ipaddr($oldgw)) || > $tunnel['disabled']) { > $spdconf .= "spddelete {$oldsa}/{$oldsn} " . > "{$oldtunnel['remote-subnet']} any -P out ipsec " . > "{$oldtunnel['p2']['protocol']}/tunnel/{$oldep}-" . > @@ -1278,7 +1278,7 @@ > } > } > } > - > +if (!$tunnel['disabled']){ > /* Create new SPD entries for the new configuration */ > /* zap any existing SA entries beforehand */ > foreach($sad_arr as $sad) { > @@ -1298,7 +1298,7 @@ > "{$sa}/{$sn} any -P in ipsec " . > "{$tunnel['p2']['protocol']}/tunnel/{$rgip}-" . > "{$ep}/unique;\n"; > - > +} > log_error("Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP > '{$oldgw}', current IP '{$rgip}'. Reloading policy"); > > $now = time(); > > It is not a problem in 1.2-RELEASE
Thanks, Commited! Scott --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
