Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Configuration cache not flushing properly in some instances

    IPsec
    1
    1
    393
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pierre.rouveyrol
      last edited by

      Greetings,
      I work for the IT dept of a services company that is using pfsense as its gateway software.

      One of our gateways, which is hosted on a dedicated server at OVH (French hosting company) inside a vRack is used to provide ipsec tunnels to most of our clients and all of our corporate locations.
      There is a the moment 58 first phases configured, and about 200 P2.
      Some are IKEv1, some v2.

      We are in the process of migrating more tunnels to that pfs box.

      I tend to use the webgui to configure the phases, then I use the console (ipsec up con<xxxxx>) to bring them up once the remote side tells me that we are aligned, since the console output is in my opinion easier to read when diagnosing mismatches.

      During the last migration. I made a mistake : We had two P2, one of which was X.X.X.X/29 and the other X.X.X.X/32, but I wrote them both as /32s.
      I brought the tunnel up, then saw my mistaked, and attempted to change it (while the tunnel was up (in status/ipsec) and the configurations enabled (in vpn/ipsec)).

      I applied the new config, then brought the tunnel down, disabled the config, reenabled it and brought it up again.
      The new tunnel was unchanged, the two P2 were still /32.

      I checked in the console (ipsec statusall conXX), also both /32.

      I then checked the /var/etc/ipsec/ipsec.conf. Here the configuration was correct (/29 and /32).

      So I tried a "ipsec reload" to no avail.

      I then tried to restart the service through the webgui, but the service never stopped and as a result didn't restart.
      I killed everything ipsec related with a kill -9 in console, then restarted the service (/usr/local/libexec/ipsec/starter).

      Doing this fixed the situation.

      This happened twice already, with us unable to pinpoint a particular similarity between the two events.
      The first time, we realised soon after that the subnet in one of the P2 was overlapping one of our internal ones, we fixed that.
      The second time, I am positive that no overlap was present.

      I expect that the P1/P2 configs are cached somewhere I didn't find. and that this cache superseds the ipsec.conf file, even after running the "ipsec reload" command.

      I am sorry that I am not able at this time to provide an exact reproduction method, but with some of your ideas, I may be able to in the end.

      Thanks, Pierre.</xxxxx>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post