Bug #5421
closed
IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint
0%
Description
IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint. A few of us noticed we had to add "allow all" rules on enc0 to get traffic to pass even when initiated from LAN.
tcpdump of the traffic on enc0 showed the external address coming in, which it didn't used to do:
13:25:59.220018 (authentic,confidential): SPI 0xc518f85c: (tos 0x0, ttl 63, id 19266, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 4e7f (->4f7f)!)
192.168.x.22 > 172.16.x.5: ICMP echo request, id 11531, seq 1, length 64
13:25:59.263464 (authentic,confidential): SPI 0xc860b7f5: (tos 0x0, ttl 52, id 32068, offset 0, flags [none], proto IPIP (4), length 104)
y.y.y.7 > z.z.z.136: (tos 0x0, ttl 62, id 2824, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.x.5 > 192.168.x.22: ICMP echo reply, id 11531, seq 1, length 64
y.y.y.7 in the above is the remote IPsec endpoint, z.z.z.136 is the local public IP address on WAN. If I add a pass rule to the IPsec tab for y.y.y.7, IPsec reply traffic flows.
Updated by Chris Buechler over 8 years ago
- Project changed from Bootstrap to pfSense
- Category set to IPsec
Updated by Chris Buechler over 8 years ago
- Status changed from Confirmed to Feedback
- Assignee changed from Renato Botelho to Chris Buechler
fixed with what I just pushed, leaving for additional confirmation.
Updated by Jim Pingle over 8 years ago
- Status changed from Feedback to Confirmed
Updated to the latest snap this morning and did a gitsync for good measure, I still needed the rule. I don't have any custom tunables for ipsec debug, net.inet.ipsec.debug is 0 according to sysctl. Something still missing from snaps?
Updated by Jim Pingle over 8 years ago
- Status changed from Confirmed to Feedback
Updated by Jim Thompson over 8 years ago
- Status changed from Feedback to Resolved