Project

General

Profile

Actions

Bug #12262

closed

IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules

Added by Marcos Mendoza 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.09
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

When using 0.0.0.0 as the remote gateway IP for IPsec, the automatic rules to allow port 500 and 4500 are incorrect:

pass out   route-to ( mvneta0 192.0.2.1 )  proto udp from (self) to 0.0.0.0 port = 500 tracker 1000106373 keep state label "IPsec: Tunnel - outbound isakmp" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto udp from 0.0.0.0 to (self) port = 500 tracker 1000106374 keep state label "IPsec: Tunnel - inbound isakmp" 
pass out   route-to ( mvneta0 192.0.2.1 )  proto udp from (self) to 0.0.0.0 port = 4500 tracker 1000106375 keep state label "IPsec: Tunnel - outbound nat-t" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto udp from 0.0.0.0 to (self) port = 4500 tracker 1000106376 keep state label "IPsec: Tunnel - inbound nat-t" 
pass out   route-to ( mvneta0 192.0.2.1 )  proto esp from (self) to 0.0.0.0 tracker 1000106377 keep state label "IPsec: Tunnel - outbound esp proto" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto esp from 0.0.0.0 to (self) tracker 1000106378 keep state label "IPsec: Tunnel - inbound esp proto" 

With the rules specifying 0.0.0.0, traffic does not match and gets dropped.


Files

Firewall-Generated Ruleset.txt (8.44 KB) Firewall-Generated Ruleset.txt Alhusein Zawi, 08/28/2021 01:02 PM
Actions #1

Updated by Marcos Mendoza 2 months ago

  • Affected Version set to 2.5.2
Actions #3

Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to 2.6.0
  • Plus Target Version set to 21.09

Need to be careful when we fix this as if the rules were correct they would match too much traffic and potentially interfere with other tunnels. See my notes on the PR.

Actions #4

Updated by Viktor Gurov 2 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #5

Updated by Alhusein Zawi 2 months ago

  1. VPN Rules
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"

2.6.0.a.20210821.0100

Actions #6

Updated by Jim Pingle 2 months ago

Alhusein Zawi wrote in #note-5:

  1. VPN Rules
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
    pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"

2.6.0.a.20210821.0100

Is that what you expected to see?

There should also be an ESP rule in addition to those two, is it present or missing?

Actions #7

Updated by Jim Pingle about 2 months ago

  • Subject changed from IPsec P1 with Remote Gateway of 0.0.0.0 creates incorrect firewall rules to IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules

Updating subject for release notes.

Actions #8

Updated by Alhusein Zawi about 2 months ago

Is that what you expected to see?

There should also be an ESP rule in addition to those two, is it present or missing?

it is found in Firewall-Generated Ruleset(attached) , not sure about ESP

Actions #9

Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to New

I don't see the "inbound esp proto" rule in that file, only "inbound isakmp" and "inbound nat-t" so it appears to be missing.

Actions #10

Updated by Marcos Mendoza about 2 months ago

  • Status changed from New to Resolved

Yes, the ESP rule is also there.

# VPN Rules
pass in  on $WAN   proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105291 keep state label "IPsec: test - inbound isakmp" 
pass in  on $WAN   proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105292 keep state label "IPsec: test - inbound nat-t" 
pass in  on $WAN   proto esp from 0.0.0.0/0 to (self) tracker 1000105293 keep state label "IPsec: test - inbound esp proto" 

Tested on:
21.09-BETA (amd64)
built on Tue Aug 24 14:04:24 EDT 2021

Actions

Also available in: Atom PDF