Project

General

Profile

Actions

Bug #5819

closed

Mobile IPsec 'pass out' rules overmatch

Added by Chris Buechler about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
01/26/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The 'pass out' rules for UDP 500 and 4500 and ESP over-match in mobile IPsec scenarios. The route-to ends up breaking connectivity for hosts on internal networks whose egress IPsec traffic leaves via a different WAN than the one the mobile P1 is bound to. So if you have mobile IPsec on WAN2, and your LAN hosts leave WAN1, when a LAN client tries to connect to an outside IPsec server, it'll end up with WAN1's source IP but leave via WAN2.

The pass out is unnecessary for mobile since it never initiates traffic outbound. The auto-added rules for site to site VPNs match the specific remote endpoint's IP, so they don't overmatch.

Actions

Also available in: Atom PDF