Bug #12262
closed
IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules
0%
Description
When using 0.0.0.0 as the remote gateway IP for IPsec, the automatic rules to allow port 500 and 4500 are incorrect:
pass out route-to ( mvneta0 192.0.2.1 ) proto udp from (self) to 0.0.0.0 port = 500 tracker 1000106373 keep state label "IPsec: Tunnel - outbound isakmp" pass in on $OPT1 reply-to ( mvneta0 192.0.2.1 ) proto udp from 0.0.0.0 to (self) port = 500 tracker 1000106374 keep state label "IPsec: Tunnel - inbound isakmp" pass out route-to ( mvneta0 192.0.2.1 ) proto udp from (self) to 0.0.0.0 port = 4500 tracker 1000106375 keep state label "IPsec: Tunnel - outbound nat-t" pass in on $OPT1 reply-to ( mvneta0 192.0.2.1 ) proto udp from 0.0.0.0 to (self) port = 4500 tracker 1000106376 keep state label "IPsec: Tunnel - inbound nat-t" pass out route-to ( mvneta0 192.0.2.1 ) proto esp from (self) to 0.0.0.0 tracker 1000106377 keep state label "IPsec: Tunnel - outbound esp proto" pass in on $OPT1 reply-to ( mvneta0 192.0.2.1 ) proto esp from 0.0.0.0 to (self) tracker 1000106378 keep state label "IPsec: Tunnel - inbound esp proto"
With the rules specifying 0.0.0.0, traffic does not match and gets dropped.
Files
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to 2.6.0
- Plus Target Version set to 21.09
Need to be careful when we fix this as if the rules were correct they would match too much traffic and potentially interfere with other tunnels. See my notes on the PR.
Updated by Alhusein Zawi over 3 years ago
- VPN Rules
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"
2.6.0.a.20210821.0100
Updated by Jim Pingle about 3 years ago
Alhusein Zawi wrote in #note-5:
- VPN Rules
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"2.6.0.a.20210821.0100
Is that what you expected to see?
There should also be an ESP rule in addition to those two, is it present or missing?
Updated by Jim Pingle about 3 years ago
- Subject changed from IPsec P1 with Remote Gateway of 0.0.0.0 creates incorrect firewall rules to IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules
Updating subject for release notes.
Updated by Alhusein Zawi about 3 years ago
Is that what you expected to see?
There should also be an ESP rule in addition to those two, is it present or missing?
it is found in Firewall-Generated Ruleset(attached) , not sure about ESP
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to New
I don't see the "inbound esp proto" rule in that file, only "inbound isakmp" and "inbound nat-t" so it appears to be missing.
Updated by Marcos M about 3 years ago
- Status changed from New to Resolved
Yes, the ESP rule is also there.
# VPN Rules pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105291 keep state label "IPsec: test - inbound isakmp" pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105292 keep state label "IPsec: test - inbound nat-t" pass in on $WAN proto esp from 0.0.0.0/0 to (self) tracker 1000105293 keep state label "IPsec: test - inbound esp proto"
Tested on:
21.09-BETA (amd64)
built on Tue Aug 24 14:04:24 EDT 2021
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01