bug ? ipsec p1 entry deletion deletes all p2 entries from another p1 entry

rolandk

hello,

i can reproduce this issue and minimized this down to a showcase,

when i delete disabled P1 relation for "customer b", after succesfully doing so, all P2 entries for "customer a" ipsec relations are missing. they are gone and also purged from config.xml.

need to restore config.xml afterwards.

i have looked at config.xml but i cannot see any obvious reason, why this happens.

looks like a bug to me !?

installation is quite old and has been upgraded numerous times (pfsense cluster of 2 , recent 2.7.2. release)

rolandk

there was a similar issue at https://redmine.pfsense.org/issues/11552

wickeren

Have seen similar behaviour, happened only after a reboot. Before the P2s were at least still up in status, don’t know it they were visible in the definitions, but after reboot some P1s showed up without any P2.
Same happened on 2 different Pfsense VPSes. Scratched my head about what caused this suddenly, did not even help to restore a backup as the P2s were already missing there, but as long as the box wasn’t rebooted it continued to work So I failed to notice the missing P2 for quite a long time.

Makes sense now, did indeed delete some P1s quite some time ago, not sure if I disabled them first but, might very well be the case.
Will try to reproduce it too and report back.

odric

Good morning. I had the same problem.

My incident is on site A v2.7.2 (From clean install and recovery config.xml origin v2.7.0).
In this Site A I have multiple Ipsec tunnels with multiple phases2.
When deleting an obsolete dissabled tunnel (phase1 and 2 at the same time), phases 2 of another phase1 have been deleted and I have had to run to reconfigure phases 2 of the affected tunnel. Of course, the first time I didn't see it until someone told me about the connection error and I thought that a colleague had deleted them by mistake. Then it happened to me a second time but I was already warned and I saw it when it happened.

Sorry if it is not understood very well. I have tried to be as clear as possible.

fduchaussoy

Same problem here : PFSense Plus 23.09.1

when i delete disabled P1 relation for "customer b", after succesfully doing so, all P2 entries for "customer a" ipsec relations are missing.

I don't see issue on redmine.pfsense.org ? :-O

cvd

I ran into this issue today as well on pfsense CE 2.7.2.

I deleted a disabled Phase 1 entry and it wiped out all Phase 2 entries on an unrelated tunnel.

bennyc

Hmm, I'm also confirming this behaviour.
I lost P2 details of unrelated P1 entries by deleting other P1's. Not cool...

If it can help: Version = 23.09.1-RELEASE (amd64)

SteveITS

Someone should create a Redmine bug report entry with details on how to reproduce. Include a link to this thread.

cvd

Looks like Roland filed a report that was confirmed already:
https://redmine.pfsense.org/issues/15171

Nice!