Project

General

Profile

Actions

Bug #12262

closed

IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules

Added by Marcos M over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

When using 0.0.0.0 as the remote gateway IP for IPsec, the automatic rules to allow port 500 and 4500 are incorrect:

pass out   route-to ( mvneta0 192.0.2.1 )  proto udp from (self) to 0.0.0.0 port = 500 tracker 1000106373 keep state label "IPsec: Tunnel - outbound isakmp" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto udp from 0.0.0.0 to (self) port = 500 tracker 1000106374 keep state label "IPsec: Tunnel - inbound isakmp" 
pass out   route-to ( mvneta0 192.0.2.1 )  proto udp from (self) to 0.0.0.0 port = 4500 tracker 1000106375 keep state label "IPsec: Tunnel - outbound nat-t" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto udp from 0.0.0.0 to (self) port = 4500 tracker 1000106376 keep state label "IPsec: Tunnel - inbound nat-t" 
pass out   route-to ( mvneta0 192.0.2.1 )  proto esp from (self) to 0.0.0.0 tracker 1000106377 keep state label "IPsec: Tunnel - outbound esp proto" 
pass in  on $OPT1  reply-to ( mvneta0 192.0.2.1 )  proto esp from 0.0.0.0 to (self) tracker 1000106378 keep state label "IPsec: Tunnel - inbound esp proto" 

With the rules specifying 0.0.0.0, traffic does not match and gets dropped.


Files

Firewall-Generated Ruleset.txt (8.44 KB) Firewall-Generated Ruleset.txt Alhusein Zawi, 08/28/2021 01:02 PM
Actions

Also available in: Atom PDF