Project

General

Profile

Bug #5421

IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint

Added by Jim Pingle over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
11/11/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3
Affected Architecture:

Description

IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint. A few of us noticed we had to add "allow all" rules on enc0 to get traffic to pass even when initiated from LAN.

tcpdump of the traffic on enc0 showed the external address coming in, which it didn't used to do:

13:25:59.220018 (authentic,confidential): SPI 0xc518f85c: (tos 0x0, ttl 63, id 19266, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 4e7f (->4f7f)!)
    192.168.x.22 > 172.16.x.5: ICMP echo request, id 11531, seq 1, length 64
13:25:59.263464 (authentic,confidential): SPI 0xc860b7f5: (tos 0x0, ttl 52, id 32068, offset 0, flags [none], proto IPIP (4), length 104)
    y.y.y.7 > z.z.z.136: (tos 0x0, ttl 62, id 2824, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.x.5 > 192.168.x.22: ICMP echo reply, id 11531, seq 1, length 64

y.y.y.7 in the above is the remote IPsec endpoint, z.z.z.136 is the local public IP address on WAN. If I add a pass rule to the IPsec tab for y.y.y.7, IPsec reply traffic flows.

Associated revisions

Revision 8e068605 (diff)
Added by Chris Buechler over 3 years ago

The net.enc.in sysctls should be 2, for only the inner portion of the VPN. Ticket #5421

History

#1 Updated by Chris Buechler over 3 years ago

  • Project changed from Bootstrap to pfSense
  • Category set to IPsec

#2 Updated by Chris Buechler over 3 years ago

  • Status changed from Confirmed to Feedback
  • Assignee changed from Renato Botelho to Chris Buechler

fixed with what I just pushed, leaving for additional confirmation.

#3 Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Confirmed

Updated to the latest snap this morning and did a gitsync for good measure, I still needed the rule. I don't have any custom tunables for ipsec debug, net.inet.ipsec.debug is 0 according to sysctl. Something still missing from snaps?

#4 Updated by Jim Pingle over 3 years ago

  • Status changed from Confirmed to Feedback

False alarm... seems it does work. Must have missed the last snap and not been picked up and applied after I synced until I rebooted. (or a panic rebooted for me, rather).

Luiz says the change to '3' was intended to fix #2993, so with it back on 2 we may need to reevaluate/test #2993

#5 Updated by Jim Thompson over 3 years ago

Works for me as well.

#6 Updated by Jim Thompson over 3 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF