Project

General

Profile

Actions

Bug #6937

closed

Inbound traffic on enc0 is not creating a state with mobile IPsec

Added by Jim Pingle about 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
IPsec
Target version:
Start date:
11/16/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4
Affected Architecture:
All

Description

Traffic entering enc0 on 2.4 is not creating a state, thus TCP traffic will not pass. ICMP works as the return traffic will create a state outbound.

Actions #1

Updated by Jim Pingle about 8 years ago

  • Status changed from New to Confirmed
Actions #2

Updated by Renato Botelho about 8 years ago

  • Assignee set to Luiz Souza
Actions #3

Updated by Jim Pingle almost 8 years ago

  • Subject changed from Inbound traffic on enc0 is not creating a state to Inbound traffic on enc0 is not creating a state with mobile IPsec

After some more testing this appears to be a problem only with mobile IPsec, specifically (at least) IKEv2 EAP-RADIUS.

A site-to-site IPsec connection using IKEv1 or IKEv2 does not have the same problem, states are created properly.

A ping from a mobile IPsec client (10.7.200.1) to the firewall LAN (10.7.0.1) produces only this in the firewall states table:

enc0 icmp 10.7.0.1:1 -> 10.7.200.1:1       0:0
   age 00:00:03, expires in 00:00:09, 3:0 pkts, 180:0 bytes, rule 88
   id: 00000000583e4bc5 creatorid: b95c5943

As you can see, that is in the "wrong" direction as it's the ICMP reply creating the state and not the original message from the client.

Attempting a TCP connection from the client to the server fails because TCP cannot create a state with a reply, instead, the dropped traffic shows in the firewall log:

Dec  1 12:46:32 block enc0 TCP:SA 10.7.0.1:443 10.7.200.1:50124

Dec  1 12:47:02 shona filterlog: 6,16777216,,1000000104,enc0,match,block,out,4,0x0,,64,0,0,DF,6,tcp,48,10.7.0.1,10.7.200.1,443,50132,0,SA,1687100934,2626059616,65228,,mss;sackOK;eol

Actions #4

Updated by Jun Wang almost 8 years ago

Found the same problem on a 2 weeks old SG-1000. Kinda annoying since mobile ipsec is the reason I bought it.

Actions #6

Updated by Luiz Souza almost 8 years ago

  • Status changed from Confirmed to Feedback
Actions #7

Updated by Jim Pingle almost 8 years ago

No change on the latest snap built after that commit.

Actions #8

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Assigned
Actions #9

Updated by Luiz Souza over 7 years ago

  • Status changed from Assigned to Feedback

New changes were made to handle this issue. Waiting on JimP comments.

Actions #10

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

Works great on the latest snapshot, thanks!

Actions

Also available in: Atom PDF