| Summary: | Passive IPsec connection can not be disabled | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | ipf-tom |
| Component: | --- | Assignee: | Assigned to nobody - feel free to grab it and work on it <nobody> |
| Status: | CLOSED FIXED | QA Contact: | Peter Müller <peter.mueller> |
| Severity: | Balancing | ||
| Priority: | Will affect an average number of users | CC: | michael.tremer, peter.mueller |
| Version: | 2 | Keywords: | Security |
| Hardware: | unspecified | Flags: | michael.tremer:
needinfo+
|
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 11618 | ||
| Attachments: | deactivated connection still "waiting" | ||
I have no idea what this bug report is supposed to be about. Sounds like an aestetic issue for me. Please provide details. Sorry, while writing the description it got scrumbled. On the second try did copy the wrong lines from the release notes :-(
The issue is about the following entry:
IPsec
It also allows to configure a connection to passively wait until a peer initiates it. This is helpful in some environments where one peer is behind NAT.
This is a good new feature. It has a minor, but not aestetic issue:
IpSec connection can be disabled on the IpSec overview (and also in the configuration of the specific definition). This is useful to deactivate a specific partner without deleting it.
I did configure a passive waiting IpSec connection. When I deactivate this connection it should _not_ continue to wait for a connection. Yes, it does only wait and is not the active part. But it seems to be still active listening for connections from the partner. This is not intended for a deactivated connection. There may be some reason, not to allow this specific partner at this time.
See the screenshot, where the connection is deactivated but still listening.
I hope my issue is understandable now.
This problem can be reproduced here. My intention on disabling a connection is preventing any usage of it. However, if a passive IPsec connection is disabled in the WUI, it _can_ be used anyway. Not sure if this has security implications. > https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;f=html/cgi-bin/vpnmain.cgi;h=237f3ab7d35facc6ab53bbde05b448e7e61b4cd3
I believe this has been fixed in 2018.
|
Created attachment 623 [details] deactivated connection still "waiting" In IPFire 2.21 - Core Update 123 a feature for passive waiting IpSec connections was implemented: OpenVPN There is better warnings about this and other cryptographic issues on the web user interface But this type of connection cannot be disabled as before. If the activated box is cleared, the Connection is still "waiting" and ipsec statusall still shows the connection. Solution: Deactivated Connections should be not running. Workaround: To really deactivate change also Start action to "always"