Inbound traffic on enc0 is not creating a state with mobile IPsec
Traffic entering enc0 on 2.4 is not creating a state, thus TCP traffic will not pass. ICMP works as the return traffic will create a state outbound.
#3 Updated by Jim Pingle over 1 year ago
- Subject changed from Inbound traffic on enc0 is not creating a state to Inbound traffic on enc0 is not creating a state with mobile IPsec
After some more testing this appears to be a problem only with mobile IPsec, specifically (at least) IKEv2 EAP-RADIUS.
A site-to-site IPsec connection using IKEv1 or IKEv2 does not have the same problem, states are created properly.
A ping from a mobile IPsec client (10.7.200.1) to the firewall LAN (10.7.0.1) produces only this in the firewall states table:
enc0 icmp 10.7.0.1:1 -> 10.7.200.1:1 0:0 age 00:00:03, expires in 00:00:09, 3:0 pkts, 180:0 bytes, rule 88 id: 00000000583e4bc5 creatorid: b95c5943
As you can see, that is in the "wrong" direction as it's the ICMP reply creating the state and not the original message from the client.
Attempting a TCP connection from the client to the server fails because TCP cannot create a state with a reply, instead, the dropped traffic shows in the firewall log:
Dec 1 12:46:32 block enc0 TCP:SA 10.7.0.1:443 10.7.200.1:50124
Dec 1 12:47:02 shona filterlog: 6,16777216,,1000000104,enc0,match,block,out,4,0x0,,64,0,0,DF,6,tcp,48,10.7.0.1,10.7.200.1,443,50132,0,SA,1687100934,2626059616,65228,,mss;sackOK;eol
#6 Updated by Luiz Souza about 1 year ago
- Status changed from Confirmed to Feedback
Jimp, can you check the latest build ?