Actions
Bug #5421
closedIPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint
Start date:
11/11/2015
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3
Affected Architecture:
Description
IPsec traffic does not pass on enc0 unless pass rules are added for the external IP address of the far-side IPsec endpoint. A few of us noticed we had to add "allow all" rules on enc0 to get traffic to pass even when initiated from LAN.
tcpdump of the traffic on enc0 showed the external address coming in, which it didn't used to do:
13:25:59.220018 (authentic,confidential): SPI 0xc518f85c: (tos 0x0, ttl 63, id 19266, offset 0, flags [DF], proto ICMP (1), length 84, bad cksum 4e7f (->4f7f)!) 192.168.x.22 > 172.16.x.5: ICMP echo request, id 11531, seq 1, length 64 13:25:59.263464 (authentic,confidential): SPI 0xc860b7f5: (tos 0x0, ttl 52, id 32068, offset 0, flags [none], proto IPIP (4), length 104) y.y.y.7 > z.z.z.136: (tos 0x0, ttl 62, id 2824, offset 0, flags [DF], proto ICMP (1), length 84) 172.16.x.5 > 192.168.x.22: ICMP echo reply, id 11531, seq 1, length 64
y.y.y.7 in the above is the remote IPsec endpoint, z.z.z.136 is the local public IP address on WAN. If I add a pass rule to the IPsec tab for y.y.y.7, IPsec reply traffic flows.
Actions