IPSec: Orphan phase2 entry - can't remove
sgb last edited by
2.0-RC3 (i386) built on Sun Sep 11 21:36:53 EDT 2011
We've just come across an issue in the latest snapshot that, unfortunately, I do not expect to be able to replicate. We have a legacy phase2 IPSec entry showing up in 'Status'->'IPSec' that is not present in the the IPSec configuration screen.
We're still in testing, so I was able to delete all of the phase2 entries listed on the IPSec configuration screen from both of our IPSec connections. The orphan phase2 in 'Status' is still present.
There is no information for 'remote IP' in 'Status'->'IPSec'. It has no parent phase1. I have disabled IPSec and re-enabled it but this does not clear it. Nothing relating to it shows up in the SAD and SPD databases (obviously enough) but I've tried flushing them on the command line anyway. That didn't make any difference.
In the end, I checked config.xml and the entry for the orphan phase2 was present. I used the 'Diagnostics'->'Edit File' option to remove the phase2 entry manually, then stopped and started IPSec in 'VPN'->'IPSec'. That seems to have cleared it.
Here are some specifics in case they are relevant. pfSense is installed as a two-node cluster on identical hardware. The IPSec connection terminates on a CARP WAN VIP. The orphan phase2 entry was originally associated with a particular phase1 entry that had three phase2 entries associated with it that represented three non-contiguous /24 network encryption domains. I cannot confirm the steps involved in creating the orphan entry, because the phase2 entries were undergoing extensive troubleshooting due to an issue at the remote site. They were deleted, recreated, had their descriptions changed and had the remote network range swapped around.