Project

General

Profile

Actions
Copy link

Bug #15431

closed

Interface Bound Firewall State Policy Breaks IPsec VTI

Added by Christopher de Haas 7 months ago. Updated 7 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.8.0
Affected Architecture:
All

Description

After upgrading to pfSense 24.03 IPsec VTI firewall states are broken. The scenario is:

A pfSense router A has a site-to-site tunnel to another pfSense router B using VTI. Router A also has IPsec mobile clients. Traffic originating from mobile clients with a destination to a network on router B does not maintain firewall states correctly, resulting in constantly dropping connections as states are not maintained. Reverting to floating states mitigates the issue but introduces the same security risks as the feature was trying to address.

Related issues

Is duplicate of Regression #15430: Interface-bound state policy does not handle IPsec VTI traffic as expected when filtering on ``enc0`` interfaceResolvedMarcos M

Actions
Actions
Copy link

Also available in: Atom PDF