Core Update 167 IPsec issue

Hi Peter,
I am aware that you are only a small team. But you know that Ipfire is also used in the business sector and a stable IPsec connection is essential here. That a hotfix takes more than 1 month is damn bad. It would be very useful to differentiate between hot fixes and core updates. It’s pretty bad practice to have to wait for a new core update to fix a serious bug. Downgrading to an earlier version cannot be the solution either, as this involves travel to and downtime at branches. Do you have any plans to change that an make some like core 167.0, 167.1 and 168.0?

Thank you Peter,

Core Update 168 from the testing repository fixed the issue!

@StevenX if you need a product with a guaranteed SLA you should consider buying something that fits your needs.

Best regards
– Zauberlehrling



you are completely free to switch to a commercial, proprietary solution. I am sure Cisco et al. will be thrilled to provide you with up-to-the-minute patches for the tends of thousands of dollars you need to pay for their products.

I presume that the IPFire project never saw a cent in donations from you - and even if it did (which I, by the way, would not benefit from), ranting at us does not make go things faster. And yes, for the records, I would wish there would be a better solution for getting such fixes out more quickly. For IPFire 3.x, we have kept that in mind - and if we would had more manpower and a more constant stream of donations, you would be all using IPFire 3.x now, instead of the 2.x which is based on a decade-old build system. But we don’t, and there we are again. Q. e. d.

In the meantime: You owe us nothing. We owe nothing to you. If you are not satisfied, there’s plenty of other products on the market - something commercial might be fitting your use-case better, since nobody was ever fired for buying Cisco et al., and you have a vendor support department which are paid to be deal with your ranting. At IPFire, we don’t.

EDIT - after taking a quick walk and calming down a bit [apologies, it has been a sh*tty day]: Lightning Wire Labs, for the sake of completeness, offers support plans for IPFire, which come with things like guaranteed response times, and so on. Perhaps these might be worth a look; as a positive side-effect, a subscription will fund the project, too.

[Full disclosure: I am not affiliated with Lightning Wire Labs in any way.]

Peter Müller


Hi Peter,

I’m sorry, if you took my request the wrong way. It wasn’t meant to be criticism and I didn’t mean to rant. I know the overall situation around Ipfire and I know how and who is working on it.

I wrote this from my user point of view and I can completely understand, that this collides with the sometimes thankless work on this project and gives the wrong impression.

I in no way meant to call for you, to find and fix the bugs faster in general. My point was, that after you found the bug, a fix was already available after 24h. This is absolutely brilliant and great work, don’t get me wrong. It’s just a damn shame, that we have had to wait 3 weeks for this small fix, that has a big impact for many users in the business sector or schools etc.

It would have been just damn great, to be able to release fixes like this directly and not with the next core. Only that was my point. But I learnd now and understood, that it doesn’t seem to be possible with 2.x. Too bad.

Apart from the fact, that I/we have already donated, I find this knee-jerk reaction of “Then take a paid and commercial product, if you don’t like our practice” rather unfortunate. I don’t want to be immediately seen as an ungrateful and brazen supplicant. I absolutely appreciate and respect your work, and that for many years since I came to you from Ipcop. I am truly sorry if my last post conveyed otherwise.


Hi Peter,

I had no intention of generating angst with the original post. I was concerned that I was doing something wrong and was relieved that you were able to duplicate the issue. I find you all do a fantastic service with a wonderful product and annually give something - possibly not enough - to the project.

All the best,

Don Brill

I’d recommend setting up a testing/staging instance. That way you could safely test any upconing releases and hopefully find any bugs or issues that may drop on your feet if you’d update your productive instances.

If you still feel like you need 24/7 support, I’d second the proposal with Lightning Wire’s support subscriptions.


Hi all,

just a quick information for your planning (maintenance windows, scheduled downtimes and whatnot): Core Update 168 is finally to be released on Monday.

Apologies for the delay, and best regards,
Peter Müller


I’m a bit confused as the changelog here does not mention this bugfix at all: - IPFire 2.27 - Core Update 168 released
Is it really in?


yes, it is, but fell through the cracks when I was compiling the changelog.

I will add a note regarding this bug for the sake of completeness. EDIT: Done.

Thanks, and best regards,
Peter Müller


Perfect, thanks a lot! Just wanted to be sure before I accidently bail out our customers by updating the IPFires :smile:

1 Like

In my setting, the bug is fixed. Now IPSec works as expected.


We’ve rolled out 168 on all instances now. I can confirm that there are no issues with IPSec tunnels in 168 any more.