Bug #12262
closed
IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules
Added by Marcos M over 3 years ago.
Updated about 3 years ago.
Plus Target Version:
22.01
Description
When using 0.0.0.0 as the remote gateway IP for IPsec, the automatic rules to allow port 500 and 4500 are incorrect:
pass out route-to ( mvneta0 192.0.2.1 ) proto udp from (self) to 0.0.0.0 port = 500 tracker 1000106373 keep state label "IPsec: Tunnel - outbound isakmp"
pass in on $OPT1 reply-to ( mvneta0 192.0.2.1 ) proto udp from 0.0.0.0 to (self) port = 500 tracker 1000106374 keep state label "IPsec: Tunnel - inbound isakmp"
pass out route-to ( mvneta0 192.0.2.1 ) proto udp from (self) to 0.0.0.0 port = 4500 tracker 1000106375 keep state label "IPsec: Tunnel - outbound nat-t"
pass in on $OPT1 reply-to ( mvneta0 192.0.2.1 ) proto udp from 0.0.0.0 to (self) port = 4500 tracker 1000106376 keep state label "IPsec: Tunnel - inbound nat-t"
pass out route-to ( mvneta0 192.0.2.1 ) proto esp from (self) to 0.0.0.0 tracker 1000106377 keep state label "IPsec: Tunnel - outbound esp proto"
pass in on $OPT1 reply-to ( mvneta0 192.0.2.1 ) proto esp from 0.0.0.0 to (self) tracker 1000106378 keep state label "IPsec: Tunnel - inbound esp proto"
With the rules specifying 0.0.0.0, traffic does not match and gets dropped.
Files
- Affected Version set to 2.5.2
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to 2.6.0
- Plus Target Version set to 21.09
Need to be careful when we fix this as if the rules were correct they would match too much traffic and potentially interfere with other tunnels. See my notes on the PR.
- Status changed from Pull Request Review to Feedback
- VPN Rules
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"
2.6.0.a.20210821.0100
Alhusein Zawi wrote in #note-5:
- VPN Rules
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105301 keep state label "IPsec: test12262 - inbound isakmp"
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105302 keep state label "IPsec: test12262 - inbound nat-t"
2.6.0.a.20210821.0100
Is that what you expected to see?
There should also be an ESP rule in addition to those two, is it present or missing?
- Subject changed from IPsec P1 with Remote Gateway of 0.0.0.0 creates incorrect firewall rules to IPsec phase 1 entry with ``0.0.0.0`` as its remote gateway does not receive correct automatic firewall rules
Updating subject for release notes.
Is that what you expected to see?
There should also be an ESP rule in addition to those two, is it present or missing?
it is found in Firewall-Generated Ruleset(attached) , not sure about ESP
- Status changed from Feedback to New
I don't see the "inbound esp proto" rule in that file, only "inbound isakmp" and "inbound nat-t" so it appears to be missing.
- Status changed from New to Resolved
Yes, the ESP rule is also there.
# VPN Rules
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000105291 keep state label "IPsec: test - inbound isakmp"
pass in on $WAN proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000105292 keep state label "IPsec: test - inbound nat-t"
pass in on $WAN proto esp from 0.0.0.0/0 to (self) tracker 1000105293 keep state label "IPsec: test - inbound esp proto"
Tested on:
21.09-BETA (amd64)
built on Tue Aug 24 14:04:24 EDT 2021
- Plus Target Version changed from 21.09 to 22.01
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by