IPSec phase2 "Automatically ping host" function broken. Bug confirmed.


  • I was checking and testing a few things with IPSec and realized that the IPSec phase2 "Automatically ping host"
    does not work and did some extensive testing to confirm it.

    However, before I put on the big drum I would like to get a confirmation that I have understood the function correctly.

    Q: Will the IPSec phase2 "Automatically ping host" do just one check (ping) at start-up OR will this do a continues ping ?
    If continues, then how frequently will this ping go ?

    From what I could see when doing a packet capture in the other end of the IPSec tunnel (using PacketCapture function
    on "IPSec" interface) I could NOT see any ICMP packets at all for several minutes.

    If I then manually do a ping from a separate machine on my LAN towards the same address as defined in the "Automatically ping host"
    then I see the pings going through OK.

    ### Ping sent from other machine than pfSense and captured in the pfSense on the other end of the IPSec (192.168.192.15) ###
    21:46:26.845646 (authentic,confidential): SPI 0x039a0cad: IP 192.168.120.100 > 192.168.192.15: ICMP echo request, id 1, seq 622, length 40
    21:46:26.845706 (authentic,confidential): SPI 0x0d77f156: IP 192.168.192.15 > 192.168.120.100: ICMP echo reply, id 1, seq 622, length 40
    21:46:27.847176 (authentic,confidential): SPI 0x039a0cad: IP 192.168.120.100 > 192.168.192.15: ICMP echo request, id 1, seq 623, length 40
    21:46:27.847213 (authentic,confidential): SPI 0x0d77f156: IP 192.168.192.15 > 192.168.120.100: ICMP echo reply, id 1, seq 623, length 40
    21:46:28.848099 (authentic,confidential): SPI 0x039a0cad: IP 192.168.120.100 > 192.168.192.15: ICMP echo request, id 1, seq 624, length 40
    21:46:28.848138 (authentic,confidential): SPI 0x0d77f156: IP 192.168.192.15 > 192.168.120.100: ICMP echo reply, id 1, seq 624, length 40
    21:46:29.849157 (authentic,confidential): SPI 0x039a0cad: IP 192.168.120.100 > 192.168.192.15: ICMP echo request, id 1, seq 625, length 40
    21:46:29.849195 (authentic,confidential): SPI 0x0d77f156: IP 192.168.192.15 > 192.168.120.100: ICMP echo reply, id 1, seq 625, length 40

    Have no clue to when this potentially got broken as I haven't checked it before.

    Best regards
    Dan Lundqvist

    UPDATE: This seems to be related to IPv4 only.  IPv6 seems to do the ping correctly:
    (replaced part of the IP with "xxx" and "yyy" to protect my config.  xxx = my LAN interface, yyy: remote LAN interface)
    "Automatically ping host" is set to ping "2001:470:28:yyy::1"

    22:18:13.129961 (authentic,confidential): SPI 0x03aa3a24: IP6 2001:470:28:xxx::1 > 2001:470:28:yyy::1: ICMP6, echo request, seq 0, length 16
    22:18:13.130022 (authentic,confidential): SPI 0x07b098ff: IP6 2001:470:28:yyy::1 > 2001:470:28:xxx::1: ICMP6, echo reply, seq 0, length 16
    22:18:14.130763 (authentic,confidential): SPI 0x03aa3a24: IP6 2001:470:28:xxx::1 > 2001:470:28:yyy::1: ICMP6, echo request, seq 1, length 16
    22:18:14.130801 (authentic,confidential): SPI 0x07b098ff: IP6 2001:470:28:yyy::1 > 2001:470:28:xxx::1: ICMP6, echo reply, seq 1, length 16
    22:18:15.129818 (authentic,confidential): SPI 0x03aa3a24: IP6 2001:470:28:xxx::1 > 2001:470:28:yyy::1: ICMP6, echo request, seq 2, length 16
    22:18:15.129853 (authentic,confidential): SPI 0x07b098ff: IP6 2001:470:28:yyy::1 > 2001:470:28:xxx::1: ICMP6, echo reply, seq 2, length 16
    22:18:15.137058 (authentic,confidential): SPI 0x03aa3a24: IP6 2001:470:28:xxx::1 > 2001:470:28:yyy::1: ICMP6, echo request, seq 0, length 16
    22:18:15.137112 (authentic,confidential): SPI 0x07b098ff: IP6 2001:470:28:yyy::1 > 2001:470:28:xxx::1: ICMP6, echo reply, seq 0, length 16

    UPDATE2:
    After some more digging I could see that the /var/db/ipsecpinghosts and /var/db/currentipsecpinghosts has not been populated
    with the IPs from any of my 2 IPv4 IPSec phase2 tunnels.  Only the IPv6 IP is there.

    I then tried to remove one and press APPLY and then re-adding it again and press reply but they are still not added to thee above files.
    This is a bug…


  • I have now confirmed that it is a bug.  See UPDATE1 and 2 in previous post.

  • Rebel Alliance Developer Netgate

    Can you open up a bug report at http://redmine.pfsense.org/ that has this info plus the ipsec section of your config.xml (you can change IPs and remove keys, but make sure the IPs are still actually IPs, just not yours…)



  • The correction made by Renato half wrong.   It is correct that he needed to move the section further out of the loops
    but he placed it one step to little.   He placed it at the end of the phase2 section but it needs to be in the
    end of the phase1 "foreach" loop.  I have written this in the comment of the ticket and hope Renato corrects it before build.

    jimp:  Could you ask him to make the correction ?

    It needed to be even one more step out of the loop at the end of the foreach phase1 loop as you are doing an “unset($ipsecpinghosts);” which clears the variable
    so it was cleared at every phase2 iteration instead of after the whole phase1/phase2 iteration causing only the last phase2 iteration to stick in the file.
    I have confirmed that my correction now works OK.

    }
    $dstip = $ph2ent['pinghost'];
    if(is_ipaddrv6($dstip)) {
    $family = "inet6";
    } else {
    $family = "inet";
    }
    if (is_ipaddr($srcip))
    $ipsecpinghosts[] = "{$srcip}|{$dstip}|3|||||{$family}|\n";
    }
    }
    ORIGINAL PLACE BEFORE CORRECTION
    }
    OLD PLACE BY RENATO CORRECTION
    }
    NEW PLACE @file_put_contents("{$g['vardb_path']}/ipsecpinghosts", $ipsecpinghosts);
    NEW PLACE unset($ipsecpinghosts);
    }

    //Dan Lundqvist


  • Renato has now done the last correction proposed and tested by me and commited it in this revision.
    https://redmine.pfsense.org/projects/pfsense/repository/revisions/923e440b75eda660a5cdbd102912fe53d61d1237

    //Danne