PHP error in ipsec.inc after upgrade/restore (2.5.2-->2.7)

ludditus · Jan 23, 2024, 3:38 PM

I upgraded my pfSense CE (on Protectli FWB4) with a fresh USB install to 2.7. I restored the config saved from my 2.5.2 install before upgrading. I am now seeing a number of errors related to IPSEC VTI. I believe those errors are preventing the WAN and LAN interfaces from properly loading. I have been able to connect WAN to the modem and pull down packages, but LAN clients are not getting any access through the gateway.

The two errors that keep occurring are:

[20-Jan-2024 14:43:54 America/New_York] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:1213
Stack trace:
#0 /etc/inc/filter.inc(1954): ipsec_vti('1', true)
#1 /etc/inc/filter.inc(2559): filter_nat_rules_automatic_tonathosts()
#2 /etc/inc/filter.inc(356): filter_nat_rules_generate()
#3 /etc/rc.filter_configure_sync(32): filter_configure_sync()
#4 {main}
  thrown in /etc/inc/ipsec.inc on line 1213

[20-Jan-2024 14:44:02 America/New_York] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/ipsec.inc:3178
Stack trace:
#0 /etc/rc.newipsecdns(69): ipsec_configure()
#1 {main}
  thrown in /etc/inc/ipsec.inc on line 3178code_text

As far as I know, I wasn't using IPSEC for anything in my previous working install. I had an OpenVPN server but don't recall anything that used IPSEC; however I don't know enough about it .

If it works, I'm happy to restore and overwrite IPSEC settings from a blank/stock config.xml section. Unfortunately I forgot to save the default config.xml when I did the fresh upgrade so I'm not sure if there is anything required between <ipsec></ipsec> in the default config.

Any other ideas on how to resolve this would be appreciated!

stephenw10 · Jan 23, 2024, 4:19 PM

Actually 2.7 or 2.7.2?

ludditus · Jan 23, 2024, 4:54 PM

@stephenw10 Sorry, it was 2.7.2.

stephenw10 · Jan 23, 2024, 5:26 PM

@ludditus said in PHP error in ipsec.inc after upgrade/restore (2.5.2-->2.7):

<ipsec></ipsec>

What do you have in the ipsec config section now?

ludditus · Jan 23, 2024, 7:07 PM

@stephenw10 I'll post that tonight once I get home and have access to the FW.

ludditus · Jan 24, 2024, 1:36 AM

@stephenw10 here's the contents of the current IPsec section in config:

<ipsec>
	<phase1>1</phase1>
	<logging>
		<dmn>-1</dmn>
		<mgr>0</mgr>
		<ike>0</ike>
		<chd>0</chd>
		<job>0</job>
		<cfg>1</cfg>
		<knl>-1</knl>
		<net>-1</net>
		<asn>-1</asn>
		<enc>-1</enc>
		<imc>0</imc>
		<imv>0</imv>
		<pts>0</pts>
		<tls>-1</tls>
		<esp>0</esp>
		<lib>0</lib>
	</logging>
	<vtimaps></vtimaps>
	<client></client>
	<async_crypto>disabled</async_crypto>
	<uniqueids>replace</uniqueids>
	<filtermode>enc</filtermode>
	<bypassrules></bypassrules>
</ipsec>

IPsec menu shows this:

When I click on disable it goes to the error:

stephenw10 · Jan 24, 2024, 1:16 PM

Hmm, well I've no idea how you've ended up with that but you should remove: <phase1>1</phase1>
That's invalid config. Just delete that line from the config file and reboot.

Steve

ludditus · Jan 24, 2024, 3:03 PM

@stephenw10 Thanks for the tip, I'll give that a try tonight.

ludditus · Jan 29, 2024, 3:15 AM

@stephenw10 Just wanted to follow up and mark this one as SOLVED — removing the <phase1>1</phase1> from <ipsec> fixed the PHP errors and allowed the interfaces to load. I’ve got it back in production and have a bit more work to restore to the original config, but your advice definitely made the difference! Thanks so much for the help.