Project

General

Profile

Actions

Bug #5421

closed

IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint

Added by Jim Pingle over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
High
Category:
IPsec
Target version:
Start date:
11/11/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3
Affected Architecture:

Description

IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint. A few of us noticed we had to add "allow all" rules on enc0 to get traffic to pass even when initiated from LAN.

tcpdump of the traffic on enc0 showed the external address coming in, which it didn't used to do:

13:25:59.220018 (authentic,confidential): SPI 0xc518f85c: (tos 0x0, ttl 63, id 19266, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 4e7f (->4f7f)!)
    192.168.x.22 > 172.16.x.5: ICMP echo request, id 11531, seq 1, length 64
13:25:59.263464 (authentic,confidential): SPI 0xc860b7f5: (tos 0x0, ttl 52, id 32068, offset 0, flags [none], proto IPIP (4), length 104)
    y.y.y.7 > z.z.z.136: (tos 0x0, ttl 62, id 2824, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.x.5 > 192.168.x.22: ICMP echo reply, id 11531, seq 1, length 64

y.y.y.7 in the above is the remote IPsec endpoint, z.z.z.136 is the local public IP address on WAN. If I add a pass rule to the IPsec tab for y.y.y.7, IPsec reply traffic flows.

Actions

Also available in: Atom PDF