Bug #5211
Auto-added IPsec rules overmatch in some circumstances
Start date:
09/28/2015
Due date:
% Done:
0%
Estimated time:
Affected Version:
All
Affected Architecture:
Description
The auto-added IPsec rules over-match in some situations, primarily where using mobile IPsec. For instance if you have mobile IPsec enabled on a system that has IPsec endpoints behind it (usually an edge system that doesn't NAT), their ISAKMP and ESP traffic will hit the mobile route-to/reply-to pass rules and will leave the wrong WAN if mobile IPsec is enabled on a different interface.
Associated revisions
Use self rather than any in auto-added IPsec rules to prevent
over-matching. Ticket #5211
Use self rather than any in auto-added IPsec rules to prevent
over-matching. Ticket #5211