Project

General

Profile

Bug #3654

Outbound IPsec rules do not exclude WAN subnet

Added by Jim Pingle over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
05/12/2014
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2
Affected Architecture:
All

Description

Either the rules need adjusted or we're missing the patch that automatically excludes WAN subnet traffic from route-to.

Default rules for IPsec outbound look like so:

pass out log on $WAN  route-to ( em0 192.168.2.1 )  proto udp from any to 192.168.2.5 port = 500 tracker 1000104251 keep state label "IPsec: My Tunnel - outbound isakmp" 

The packets are delivered to the gateway instead of directly to the target system, which will often break.

The firewall rules in general do have an exclusion:

pass out log route-to ( em0 192.168.2.1 ) from 192.168.2.8 to !192.168.2.0/24 tracker 1000003811 keep state allow-opts label "let out anything from firewall host itself" 

History

#1 Updated by Ermal Lu├ži over 4 years ago

  • Status changed from New to Feedback

Pushed a patch for this!
It is the same as for reply-to.

#2 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

confirmed working (rules don't exclude, patch works)

Also available in: Atom PDF