Disable or enable Phase 1 from command line



  • The subject rather says it all, is there a way to disable or enable a phase 1 entry from command line?

    The idea is that I have a number of customers and want to set up VPN connections to each, but only activate those connections when needed. I'd like to script something on a client machine that would send an ssh command to change the ipsec phase 1 connection then restart ipsec to connect to the proper VPN, then after all is said and done, I'd like to be able to disconnect with another ssh command.



  • @jasonlshelton:

    … but only activate those connections when needed .....

    By default an IPSEC connection is really just a statement of intent - "if traffic wants to go from here to here then I want it encrypted".  It wont start unless traffic causes it to, which is why there is an option to ping to keep alive.

    If no traffic passes that will match a phase 2 whilst a P1 and P2 are valid then no network traffic will pass between the two endpoints until a P1 or P2 timeout, in which case there is a very quick flurry of packets that are negligible these days.

    IPSEC does not work like you think it does 8)  Those settings for timeouts are there for a reason, as is the ping thing.

    IPSEC is a mechanism to enforce a policy for network flows and not a thing in and of itself that you can put a finger on and call a tunnel although the word tunnel seems appropriate.  You either want to use it to encrypt network traffic between you and something else or not.  Notions of start and stop are up to you not IPSEC.

    You still have some options if you still want to think of IPSEC as a tunnel rather than a policy.  Set the P1 timeout to something shorter than the default.  errr I run out of ideas here.

    For a laugh, create a network alias called say "RFC1918_Private" with:

    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    then create a firewall rule on the "floating" tab:

    Set the Action to reject, interfaces to your WAN interfaces using CTRL + click, direction "outbound", destination -> single host or alias "RFC1918_Private", tick "log packets".

    Watch the results.  Do they correspond to your policy?  If not, at least they are not potentially causing trouble any more.

    I use the above recipe to diagnose and fix a lot of problems.  It can't be a pfSense default because it would screw up a lot of setups, eg those behind another internet router and hence using RFC1918 addresses on WAN but an equivalent alias can be derived for those.

    You mention ssh and I'll assume OpenSSH which can be a pretty handy tunnel provider regardless of IPSEC.  Update OpenSSL and OpenSSH to the latest if you can and only use something like webby_search:"openssh passwordless login".  If you can't update them then IPSEC it is.

    Cheers
    Jon

    PS If it helps, then you should approach IPSEC with an attitude of "I'd rather like this (encrypted connection to the other end) to happen, but I'm prepared (firewall rule + alias) for it to go horribly wrong."  Also, "I am not worthy" might help 8)



  • Your response is wonderfully confusing and misses the point entirely.

    Whether ipsec is a tunnel or on demand encryption is neither here nor there. What is relevant is that in the gui for pfsense there is a check box that says "Disable this phase 1 entry". I'd like to know if there is a way to toggle that setting from command line. Once I find out that information, I'm quite capable of using ssh to send that command from remote.



  • Were you able to find a command to enable/disable IPsec tunnels from the CLI? I would also like to know if there is a way to do this, because I would like to implement an IPsec multi-WAN failover.


Log in to reply