Project

General

Profile

Actions
Copy link

Bug #4157

closed

IPsec route-to/reply-to "pass out" rules mis-route ISAKMP and ESP traffic with remote on same subnet

Added by Chris Buechler almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Chris Buechler
Category:
IPsec
Target version:
2.2
Start date:
12/29/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Where your IPsec remote endpoint is on the same subnet as the local IP where it's bound, the "pass out" rules for ISAKMP and ESP send the traffic to the system's gateway rather than directly to the remote. 2.1.5 at least does the same, so not a regression. Not too difficult to change the logic in filter.inc around line 3698 to skip where it's in the same subnet.

Actions
Copy link
 #1

Updated by Chris Buechler almost 10 years ago

  • Status changed from Confirmed to Feedback

should be fixed, leaving for further verification

Actions
Copy link
 #2

Updated by Chris Buechler almost 10 years ago

  • Status changed from Feedback to Resolved

confirmed on a handful more systems with a variety of configs, a good mix of ones that need the route-to/reply-to and ones that shouldn't have it. all good

Actions
Copy link

Also available in: Atom PDF