Project

General

Profile

Actions

Bug #15431

closed

Interface Bound Firewall State Policy Breaks IPsec VTI

Added by Christopher de Haas 8 months ago. Updated 8 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.8.0
Affected Architecture:
All

Description

After upgrading to pfSense 24.03 IPsec VTI firewall states are broken. The scenario is:

A pfSense router A has a site-to-site tunnel to another pfSense router B using VTI. Router A also has IPsec mobile clients. Traffic originating from mobile clients with a destination to a network on router B does not maintain firewall states correctly, resulting in constantly dropping connections as states are not maintained. Reverting to floating states mitigates the issue but introduces the same security risks as the feature was trying to address.


Related issues

Is duplicate of Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on ``enc0`` interfaceResolvedMarcos M

Actions
Actions #1

Updated by Jim Pingle 8 months ago

  • Status changed from New to Duplicate
  • Priority changed from High to Normal

Usually states would only disappear like that if the traffic is not being matched in both directions and then times out/gets removed (e.g. asymmetric routing)

Reads similarly to #15430 so seems like either it's related or possibly it's a situation that needs floating to work properly. Using floating on one interface isn't an problematic as using it everywhere, and unless your WAN are DHCP it's pretty much a non-issue anyhow.

Actions #2

Updated by Jim Pingle 8 months ago

  • Is duplicate of Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on ``enc0`` interface added
Actions

Also available in: Atom PDF