Bug #15431
closed
Interface Bound Firewall State Policy Breaks IPsec VTI
0%
Description
After upgrading to pfSense 24.03 IPsec VTI firewall states are broken. The scenario is:
A pfSense router A has a site-to-site tunnel to another pfSense router B using VTI. Router A also has IPsec mobile clients. Traffic originating from mobile clients with a destination to a network on router B does not maintain firewall states correctly, resulting in constantly dropping connections as states are not maintained. Reverting to floating states mitigates the issue but introduces the same security risks as the feature was trying to address.
Related issues
Updated by Jim Pingle 12 days ago
- Status changed from New to Duplicate
- Priority changed from High to Normal
Usually states would only disappear like that if the traffic is not being matched in both directions and then times out/gets removed (e.g. asymmetric routing)
Reads similarly to #15430 so seems like either it's related or possibly it's a situation that needs floating to work properly. Using floating on one interface isn't an problematic as using it everywhere, and unless your WAN are DHCP it's pretty much a non-issue anyhow.
Updated by Jim Pingle 12 days ago
- Is duplicate of Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on enc0 added