configctl can't stop IPSec after upgrading from 19.1 to 19.7

Started by nwildner, August 23, 2019, 02:22:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 23, 2019, 02:22:47 PM
Hi. Weeks ago, i've managed to create a way to reconnect bogus IPSec tunnels.

However, after upgrading from 19.1.10 to 19.7(and 19.7.2 after that), configctl isnt able to stop/kill strongswan anymore.

Every time i issue /usr/local/sbin/configctl ipsec stop, an "OK" is printed on the screen, but ipsec statusall shows that the tunnel it's still running with only the bypass networks connection, creating a situation where no connection is available to our main office. If i try to stop the service again, another "OK" will be print without really stopping the service.

I have a second OPNSense installation on other remote site that was deployed using 19.7 without the major version upgrade and with the same configurations(being the box local networks addressing the exception) and this feature is working great.

Is there anything else I could to do help on investigating this issue?



August 26, 2019, 10:27:28 PM #1
Well, since i was afraid i didn't have enough time to investigate, cause my coworkers weren't happy with this ipsec issue, i did a config export on the current firewall and imported this config on a fresh 19.7 VM.

It Did the trick.

configctl is restarting the tunel whenever my monit rule gets a match again :)

Cheers.
August 28, 2019, 06:43:35 PM #2 Last Edit: August 28, 2019, 06:53:35 PM by nwildner
Actually, this solution is working fine with short outage of the link(10-15min).

Today, our ISP suffered from problems that kept the link out about 2 hours, and strongswan seems to hang in a way that configctl isn't able to really stop it. This is what happens after a lot of restarts(once a minute as i've configured).


Code Select
Aug 28 10:26:33 fw01 monit[75637]: 'IPSEC_RELOAD' ping test failed
Aug 28 10:26:33 fw01 monit[75637]: 'IPSEC_RELOAD' trying to restart
Aug 28 10:26:33 fw01 monit[75637]: 'IPSEC_RELOAD' stop: '/usr/local/sbin/configctl ipsec stop'
Aug 28 10:26:34 fw01 ipsec_starter[5513]: ipsec starter stopped
Aug 28 10:26:34 fw01 monit[75637]: 'IPSEC_RELOAD' start: '/usr/local/sbin/configctl ipsec start'
Aug 28 10:26:35 fw01 ipsec_starter[74021]: Starting strongSwan 5.8.0 IPsec [starter]...
Aug 28 10:26:35 fw01 ipsec_starter[74021]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start

Any clues?
Print
Go Up Pages1
User actions