IPsec: UI edit causes tunnel to not be generated correctly #1425
Description
Steps to reproduce
- Create then modify an IPsec tunnel configuration in NethSecurity
- Observe the tunnel status from the web UI
- Use
swanctl --list-sas --ike <ID>to examine tunnel session states at the CLI
Expected behavior
- When tunnel configuration is modified, changes should be consistently applied to the running system and reflected both in the UI and API states.
- Tunnel should show as "connected" when sessions are established.
- Reloading or reapplying tunnel configuration should not require a full service restart.
Actual behavior
- UI shows the tunnel as "not connected" despite the API showing it as "INSTALLED".
- The system uses
grep ESTABLISHEDfor session status but the main configuration ID (ns_d025d5cdas an example) does not exist, while other configurations use an ID (ns_51f44731another example) that does exist. Attemptingswanctl --list-sas --ike <ID>with the main tunnel's ID fails unless using the correct underlying ID. - The configuration appears clean, but unless a full service restart (
/etc/init.d/swanctl restart) is performed, changes are not properly applied and session states are mismatched. This workaround does bring all VPN tunnels down briefly. - Modifications to tunnels applied with reload do not always fully activate unless a restart is done. Session IDs can persist incorrectly, causing CLI/API/UI mismatches.
- Logs show duplicate CHILD_SA/SPIs and tunnel status confusion, this is probably the cause of the missing re-creation of the new tunnels.
Workaround
Restart the swanctl service to refresh strongSwan state:
/etc/init.d/swanctl restart
Note: this will briefly bring down all active VPN tunnels.
Components
- ns-api >= 3.4.0
See also
- Helpdesk ticket: https://helpdesk.nethesis.it/a/tickets/195376
- Mattermost discussion: https://mattermost.nethesis.it/nethesis/pl/n67dr31ti7ge7p94wrsxi6u8aa