Bug 11854 - Passive IPsec connection can not be disabled
Summary: Passive IPsec connection can not be disabled
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: Will affect an average number of users Balancing
Assignee: Assigned to nobody - feel free to grab it and work on it
QA Contact: Peter Müller
URL:
Keywords: Security
Depends on:
Blocks: IPSECBUGS
  Show dependency treegraph
 
Reported: 2018-09-07 15:11 UTC by ipf-tom
Modified: 2024-04-08 17:23 UTC (History)
2 users (show)

See Also:
michael.tremer: needinfo+

Attachments
deactivated connection still "waiting" (5.52 KB, image/png)
2018-09-07 15:11 UTC, ipf-tom 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ipf-tom 2018-09-07 15:11:15 UTC 
Created attachment 623 [details]
deactivated connection still "waiting"

In IPFire 2.21 - Core Update 123 a feature for passive waiting IpSec connections was implemented:

OpenVPN
    There is better warnings about this and other cryptographic issues on the web user interface

But this type of connection cannot be disabled as before. If the activated box is cleared, the Connection is still "waiting" and ipsec statusall still shows the connection.

Solution: Deactivated Connections should be not running.

Workaround: To really deactivate change also Start action to "always"
Comment 1 Michael Tremer 2018-09-09 14:25:28 UTC 
I have no idea what this bug report is supposed to be about. Sounds like an aestetic issue for me. Please provide details.
Comment 2 ipf-tom 2018-09-10 07:39:15 UTC 
Sorry, while writing the description it got scrumbled. On the second try did copy the wrong lines from the release notes :-(

The issue is about the following entry:

IPsec
    It also allows to configure a connection to passively wait until a peer initiates it. This is helpful in some environments where one peer is behind NAT.

This is a good new feature. It has a minor, but not aestetic issue:

IpSec connection can be disabled on the IpSec overview (and also in the configuration of the specific definition). This is useful to deactivate a specific partner without deleting it.

I did configure a  passive waiting IpSec connection. When I deactivate this connection it should _not_ continue to wait for a connection. Yes, it does only wait and is not the active part. But it seems to be still active listening for connections from the partner. This is not intended for a deactivated connection. There may be some reason, not to allow this specific partner at this time.

See the screenshot, where the connection is deactivated but still listening.

I hope my issue is understandable now.
Comment 3 Peter Müller 2019-10-13 10:47:02 UTC 
This problem can be reproduced here.

My intention on disabling a connection is preventing any usage of it. However, if a passive IPsec connection is disabled in the WUI, it _can_ be used anyway.

Not sure if this has security implications.