Bug #7015

IPsec not working with specific ISP

Added by Renato Botelho 2 months ago. Updated about 1 month ago.

Target version:
Start date:
Due date:
% Done:


Affected version:
Affected Architecture:


@luiz has the details, looks like a ESP fragment but it creates odd state with unknown IP address like:

enc0 icmp <- 0:0


#1 Updated by Renato Botelho 2 months ago

  • Priority changed from Normal to High

#2 Updated by Steve Wheeler about 1 month ago

Also seeing this after upgrading to 2.4.

Initially unable to ping across the tunnel but a packet capture showed pings leaving over IPSec and replies coming back. The replies were being blocked in the firewall, not matching the state opened. By adding a rule to pass that reply traffic I am able ping but the state created is indeed very weird:

LAN icmp -> 0:0 7 / 6 588 B / 504 B
IPsec icmp -> 0:0 7 / 0 588 B / 0 B
IPsec icmp -> 0:0 6 / 0 504 B / 0 B

Yet the ping replies are correctly routed back to

Also for UDP traffic:

LAN udp -> MULTIPLE:MULTIPLE 904 / 691 593 KiB / 380 KiB
IPsec udp -> SINGLE:NO_TRAFFIC 904 / 0 593 KiB / 0 B
IPsec udp -> NO_TRAFFIC:SINGLE 648 / 0 356 KiB / 0 B

That VoIP works fine though.

For TCP traffic it appears each state only sees one half of the exchange so both block the out-of-state traffic. I had to add floating rules with direction any, flags any, and sloppy states in order to pass it.

Other users on that same IPSec server hitting the same resources are not seeing this problem. My end point is behind NAT so the tunnel uses NAT-T though.

#4 Updated by Renato Botelho about 1 month ago

Vladimir Putin wrote:

Could it be related to ?

I believe not. We just found out an evidence this issue only happens when WAN interface is behind NAT

Also available in: Atom PDF