PHP error in ipsec.inc after upgrade/restore (2.5.2-->2.7)

ludditus

I upgraded my pfSense CE (on Protectli FWB4) with a fresh USB install to 2.7. I restored the config saved from my 2.5.2 install before upgrading. I am now seeing a number of errors related to IPSEC VTI. I believe those errors are preventing the WAN and LAN interfaces from properly loading. I have been able to connect WAN to the modem and pull down packages, but LAN clients are not getting any access through the gateway.

The two errors that keep occurring are:

[20-Jan-2024 14:43:54 America/New_York] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:1213
Stack trace:
#0 /etc/inc/filter.inc(1954): ipsec_vti('1', true)
#1 /etc/inc/filter.inc(2559): filter_nat_rules_automatic_tonathosts()
#2 /etc/inc/filter.inc(356): filter_nat_rules_generate()
#3 /etc/rc.filter_configure_sync(32): filter_configure_sync()
#4 {main}
  thrown in /etc/inc/ipsec.inc on line 1213

[20-Jan-2024 14:44:02 America/New_York] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:3178
Stack trace:
#0 /etc/rc.newipsecdns(69): ipsec_configure()
#1 {main}
  thrown in /etc/inc/ipsec.inc on line 3178code_text

As far as I know, I wasn't using IPSEC for anything in my previous working install. I had an OpenVPN server but don't recall anything that used IPSEC; however I don't know enough about it .

If it works, I'm happy to restore and overwrite IPSEC settings from a blank/stock config.xml section. Unfortunately I forgot to save the default config.xml when I did the fresh upgrade so I'm not sure if there is anything required between <ipsec></ipsec> in the default config.

Any other ideas on how to resolve this would be appreciated!

stephenw10

Actually 2.7 or 2.7.2?

ludditus

@stephenw10 Sorry, it was 2.7.2.

stephenw10

@ludditus said in PHP error in ipsec.inc after upgrade/restore (2.5.2-->2.7):

<ipsec></ipsec>

What do you have in the ipsec config section now?

ludditus

@stephenw10 I'll post that tonight once I get home and have access to the FW.

ludditus

@stephenw10 here's the contents of the current IPsec section in config:

<ipsec>
	<phase1>1</phase1>
	<logging>
		<dmn>-1</dmn>
		<mgr>0</mgr>
		<ike>0</ike>
		<chd>0</chd>
		<job>0</job>
		<cfg>1</cfg>
		<knl>-1</knl>
		<net>-1</net>
		<asn>-1</asn>
		<enc>-1</enc>
		<imc>0</imc>
		<imv>0</imv>
		<pts>0</pts>
		<tls>-1</tls>
		<esp>0</esp>
		<lib>0</lib>
	</logging>
	<vtimaps></vtimaps>
	<client></client>
	<async_crypto>disabled</async_crypto>
	<uniqueids>replace</uniqueids>
	<filtermode>enc</filtermode>
	<bypassrules></bypassrules>
</ipsec>

IPsec menu shows this:
IPsec tunnel error.JPG

When I click on disable it goes to the error:
error on disable.JPG

stephenw10

Hmm, well I've no idea how you've ended up with that but you should remove: <phase1>1</phase1>
That's invalid config. Just delete that line from the config file and reboot.

Steve

ludditus

@stephenw10 Thanks for the tip, I'll give that a try tonight.

ludditus

@stephenw10 Just wanted to follow up and mark this one as SOLVED — removing the <phase1>1</phase1> from <ipsec> fixed the PHP errors and allowed the interfaces to load. I’ve got it back in production and have a bit more work to restore to the original config, but your advice definitely made the difference! Thanks so much for the help.