Project

General

Profile

Actions

Bug #12262

closed

IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules

Added by Marcos M over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

When using 0.0.0.0 as the remote gateway IP for IPsec, the automatic rules to allow port 500 and 4500 are incorrect:

pass out   route-to ( mvneta0 192.0.2.1 )  proto udp from (self) to 0.0.0.0 port = 500 tracker 1000106373 keep state label "IPsec: Tunnel - outbound isakmp" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto udp from 0.0.0.0 to (self) port = 500 tracker 1000106374 keep state label "IPsec: Tunnel - inbound isakmp" 
pass out   route-to ( mvneta0 192.0.2.1 )  proto udp from (self) to 0.0.0.0 port = 4500 tracker 1000106375 keep state label "IPsec: Tunnel - outbound nat-t" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto udp from 0.0.0.0 to (self) port = 4500 tracker 1000106376 keep state label "IPsec: Tunnel - inbound nat-t" 
pass out   route-to ( mvneta0 192.0.2.1 )  proto esp from (self) to 0.0.0.0 tracker 1000106377 keep state label "IPsec: Tunnel - outbound esp proto" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto esp from 0.0.0.0 to (self) tracker 1000106378 keep state label "IPsec: Tunnel - inbound esp proto" 

With the rules specifying 0.0.0.0, traffic does not match and gets dropped.


Files

Firewall-Generated Ruleset.txt (8.44 KB) Firewall-Generated Ruleset.txt Alhusein Zawi, 08/28/2021 01:02 PM
Actions #1

Updated by Marcos M over 3 years ago

  • Affected Version set to 2.5.2
Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09

Need to be careful when we fix this as if the rules were correct they would match too much traffic and potentially interfere with other tunnels. See my notes on the PR.

Actions #4

Updated by Viktor Gurov over 3 years ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #5

Updated by Alhusein Zawi over 3 years ago

  1. VPN Rules
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"

2.6.0.a.20210821.0100

Actions #6

Updated by Jim Pingle over 3 years ago

Alhusein Zawi wrote in #note-5:

  1. VPN Rules
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"

2.6.0.a.20210821.0100

Is that what you expected to see?

There should also be an ESP rule in addition to those two, is it present or missing?

Actions #7

Updated by Jim Pingle over 3 years ago

  • Subject changed from IPsec P1 with Remote Gateway of 0.0.0.0 creates incorrect firewall rules to IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules

Updating subject for release notes.

Actions #8

Updated by Alhusein Zawi over 3 years ago

Is that what you expected to see?

There should also be an ESP rule in addition to those two, is it present or missing?

it is found in Firewall-Generated Ruleset(attached) , not sure about ESP

Actions #9

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to New

I don't see the "inbound esp proto" rule in that file, only "inbound isakmp" and "inbound nat-t" so it appears to be missing.

Actions #10

Updated by Marcos M over 3 years ago

  • Status changed from New to Resolved

Yes, the ESP rule is also there.

# VPN Rules
pass in  on $WAN   proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105291 keep state label "IPsec: test - inbound isakmp" 
pass in  on $WAN   proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105292 keep state label "IPsec: test - inbound nat-t" 
pass in  on $WAN   proto esp from 0.0.0.0/0 to (self) tracker 1000105293 keep state label "IPsec: test - inbound esp proto" 

Tested on:
21.09-BETA (amd64)
built on Tue Aug 24 14:04:24 EDT 2021

Actions #11

Updated by Jim Pingle about 3 years ago

  • Plus Target Version changed from 21.09 to 22.01
Actions

Also available in: Atom PDF