Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec->SPD not updated after change in IPSec->Config

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    7 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eskild
      last edited by

      2.2-RC (i386)
      built on Sun Jan 11 18:19:43 CST 2015

      After deleting a ph2 entry, the entry is still visible in IPSec->SPD, and established and visible in IPSec->Overview.

      Tried to "Disconnect" and restart IPSec, but same result afterwards. I have not yet tried to reload.

      Edit:

      • Nevermind. After clearing SA at remote peer, the SPD is correct.
      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        The idea is that it will remain there until the SA will timeout.
        After that strongswan will cleanup that automatically.

        I have not thought on a bad scenario from this per se hence no further action has been taken.

        1 Reply Last reply Reply Quote 0
        • E
          eskild
          last edited by

          Is it possible that old ph2 may blackhole traffic then before ph2 times out?
          To my knowledge, the order of ph2 in SPD determins which ph2 that forwards the packets.
          Say you configure new ph2 with a subnet overlapping  the old one, then the old ph2 may blackhole traffic for a period of time, depending on where the new ph2 is in the SPD list compared to the old one.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Have you tested this?
            To my knowledge this is not a possible scenario!

            1 Reply Last reply Reply Quote 0
            • E
              eskild
              last edited by

              I have verified, that after deleting a ph2 entry, the SPD is still there and the tunnel is still active. I had the following ph2 configured:

              0.0.0.0/0                 10.10.12.32/28
              192.168.101.37 10.10.12.33

              After deleting "192.168.101.37 10.10.12.33" from the config, it was still present in the SPD and also visible at ipsec->overview.

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Yeah i know its visible but it should not be usable because its pending to be deleted as long as the SA timeouts.
                Did you actually see a problem with traffic or just because you see it you assume its an issue?

                1 Reply Last reply Reply Quote 0
                • E
                  eskild
                  last edited by

                  I am asking if it might blackhole traffic due to the fact that the old tunnel is still active (by the looks if it from the GUI).
                  I have not experienced that it actually will blackhole the traffic.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.