Project

General

Profile

Actions

Bug #12505

closed

NAT issues with IPsec passthrough

Added by Kev Kitchens about 3 years ago. Updated about 3 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

I've noticed some issues with the automatic IPsec passthrough rules generated when the outbound NAT is set to automatic rule generation. I have an IKEv2 VPN configured on my laptop, and it will fail to MOBIKE when I switch from WiFi to Ethernet or vice versa. I eventually tracked this down to an issue in the NAT. The first outbound UDP connection to the remote VPN endpoint gets NAT'd properly, but a subsequent connection from a different internal IP to the same remote endpoint will not be NAT'd at all and instead be forwarded directly. This not only means that MOBIKE will fail, but it also means the firewall will leak internal IP addresses. I worked around the issue by switching to manual rule generation and deleting the IPsec passthrough rules as my VPN supports NAT-T without issues.

IMO, there are two things that could be better here. First, it would be nice to have an option to disable IPsec passthrough when the outbound NAT is set to automatic rule generation. Second, packets shouldn't be sent directly in this scenario leaking internal IP addresses. Instead, they could be dropped or fall back to NAT'ing the source port.

Actions

Also available in: Atom PDF