Project

General

Profile

Actions

Bug #4570

closed

2.2.1 Omits SPD entries for LAN traffic with Supernet IPSEC tunnel

Added by Nei Ka over 9 years ago. Updated over 9 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
04/02/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.1
Affected Architecture:

Description

Under 2.1.5 creating an IPSEC tunnel with a supernet/subnet arrangement produces SPD rules like this:

$ setkey -DP
172.21.71.0/24[any] 172.21.71.1[any] 255
in none
spid=14 seq=3 pid=80285
refcnt=1
172.16.0.0/12[any] 172.21.71.0/24[any] 255
in ipsec
esp/tunnel/111.222.333.444-192.168.0.4/unique#16394
spid=16 seq=2 pid=80285
refcnt=1
172.21.71.1[any] 172.21.71.0/24[any] 255
out none
spid=13 seq=1 pid=80285
refcnt=1
172.21.71.0/24[any] 172.16.0.0/12[any] 255
out ipsec
esp/tunnel/192.168.0.4-111.222.333.444/unique#16393
spid=15 seq=0 pid=80285
refcnt=1

This is on a system behind a NAT firewall.

When switching to 2.2.1 only the following rules are present:

172.16.0.0/12[any] 172.21.71.0/24[any] 255
in ipsec
esp/tunnel/111.222.333.444-192.168.0.4/unique
172.21.71.0/24[any] 172.16.0.0/12[any] 255
out ipsec
esp/tunnel/192.168.0.4-111.222.333.444/unique

(Copied from console)

This means that the firewall becomes inaccessible from the LAN

Actions

Also available in: Atom PDF