https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162018-07-24T16:08:04ZpfSense bugtrackerpfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=372352018-07-24T16:08:04ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>IPSec VTI: Assigned interface firewall rules are never parsed</i> to <i>IPsec VTI: Assigned interface firewall rules are never parsed</i></li><li><strong>Description</strong> updated (<a title="View differences" href="/journals/37235/diff?detail_id=28929">diff</a>)</li><li><strong>Assignee</strong> deleted (<del><i>Jim Pingle</i></del>)</li></ul><p>Issue <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Implement some controls to hide certain information for VTI Assigned Interfaces (Resolved)" href="https://redmine.pfsense.org/issues/8685">#8685</a> will work around this for now, but we can use this issue to track the longer-term problem of how these rules interact. We may have to wait for FreeBSD to solve this one since it appears to be an issue in how pf and if_ipsec interact, and how traffic shows up both on enc0 and the specific ipsecXXXX interface.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=460242020-05-05T15:47:42ZJim Pingle
<ul></ul><p>Re-tested this since we have a new base OS on 2.5.0. Unfortunately, this still behaves the same way on 12.1-STABLE:</p>
<p>Adding a pf rule on a VTI interface, it does not function as expected. With no rules on enc0, and a pass all rule on ipsec4000, no traffic is passed.</p>
<pre>
@145(1528159274) pass in quick on ipsec4000 reply-to (ipsec4000 10.6.106.2) inet all flags S/SA keep state label "USER_RULE: VTI Test Rule"
[ Evaluations: 16050 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 21034 State Creations: 0 ]
</pre>
<p>Note that the evaluations counter increases, but it never matches.</p>
<p>tcpdump does not show any packets arriving on the ipsec4000 interface with this rule present.</p>
<p>If you add a rule to enc0 to pass the traffic, it works and then traffic also appears in tcpdump captures on ipsec4000 as it flows.</p>
<p>Packets are always visible in tcpdump on enc0.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=465572020-06-02T00:55:30ZAri Suutari
<ul></ul><p>Is this related:<br /><a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232522">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=232522</a></p>
<p>filtertunnel sysctls seem to be 0 in pfsense.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=465592020-06-02T09:57:29ZJim Pingle
<ul></ul><p>That is certainly worth testing but we've had problems flipping that in the past (See <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: IPsec in transport mode, tunneled traffic does not flow through enc0 (Resolved)" href="https://redmine.pfsense.org/issues/2993">#2993</a>, <a class="issue tracker-1 status-3 priority-5 priority-high4 closed" title="Bug: state mismatch issue on enc0 with amd64 (Resolved)" href="https://redmine.pfsense.org/issues/2636">#2636</a>, and several forum threads) so it may not be a general solution.</p>
<p>If it works, we can document it at least. But we'd also have to check for regressions in behavior of tunneled (non-VTI) IPsec, transport mode IPsec, and general IPsec throughput/performance.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=466202020-06-05T10:04:06ZJim Pingle
<ul></ul><p>It doesn't appear to be related. Setting that sysctl to 1, the traffic still arrives on enc0 and is blocked by pf inbound on enc0.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=478932020-09-21T14:21:34ZJim Pingle
<ul></ul><p>I thought it was noted here but I don't see it. There is another FreeBSD issue at <a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474</a> in which they recommend disabling pfil for if_enc and setting filtertunnel similar to the above:</p>
<pre>
net.enc.out.ipsec_filter_mask=0
net.enc.in.ipsec_filter_mask=0
net.inet.ipsec.filtertunnel=1
net.inet6.ipsec6.filtertunnel=1
</pre>
<p>However, that cripples policy-based tunnels since there would now be no way to filter their traffic.</p>
<p>There is still no acceptable solution that allows both to work at once.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=507932021-02-02T13:32:22ZJim Pingle
<ul></ul><p>In addition to the above, the BPF mask also needs changed.</p>
<p>The complete set of required sysctl values are:</p>
<pre>
sysctl net.inet.ipsec.filtertunnel=1
sysctl net.inet6.ipsec6.filtertunnel=1
sysctl net.enc.out.ipsec_bpf_mask=0
sysctl net.enc.in.ipsec_bpf_mask=0
sysctl net.enc.out.ipsec_filter_mask=0
sysctl net.enc.in.ipsec_filter_mask=0
</pre>
<p>And then change <a class="source" href="https://redmine.pfsense.org/projects/pfsense/repository/2/entry/src/etc/inc/filter.inc#L101">source:src/etc/inc/filter.inc#L101</a> to:<br /><pre><code class="php syntaxhl"><span class="nv">$filter_interface_blacklist</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span>
</code></pre></p>
<p>With that in place, rules on assigned VTI interface tabs are respected and rules on the IPsec tab (enc0) are ignored. Since it's default deny, no traffic on enc0 will pass. (Meaning that policy-based tunnels cannot pass traffic no matter what, only assigned VTI w/rules on tabs can)</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=508922021-02-04T13:17:47ZJim Pingle
<ul><li><strong>File</strong> <a href="/attachments/3366">ipsec_filtermode.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3366/ipsec_filtermode.diff">ipsec_filtermode.diff</a> added</li></ul><p>I made patch (attached) that adds a GUI option to toggle between the two behaviors: Filtering on enc0 (tunnel+vti), and filtering on the assigned VTI interfaces (but blocks all tunnel mode traffic). With the option set, firewall rule tabs are visible for the assigned VTI interfaces, the IPsec tab is hidden. NAT rules on VTI interfaces work.</p>
<p>It works, but obviously it's a big trade-off.</p>
<p>It's better than not having a choice, though, at least until a solution can be found in FreeBSD.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=510292021-02-10T12:15:10ZJim Pingle
<ul></ul><p>I'm moving the option I mentioned above to a separate issue: <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Option to switch IPsec filtering modes to choose between ``enc`` and ``if_ipsec`` filtering (Closed)" href="https://redmine.pfsense.org/issues/11395">#11395</a></p>
<p>This can remain open for the longer term question of whether or not it is possible in FreeBSD to have both behaviors at the same time, rather than forcing the user to choose.</p> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=558622021-08-20T08:47:02ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/4479">Bug #4479</a>: Firewall rules won't match GRE interface after applying IPSEC transport encryption on GRE tunnel</i> added</li></ul> pfSense - Bug #8686: IPsec VTI: Assigned interface firewall rules are never parsedhttps://redmine.pfsense.org/issues/8686?journal_id=689922023-08-09T10:18:13Zbeermount beermount
<ul></ul><p>Could the ipsec interface be enabled for inclusion to an interface group when the advanced ipsec filter mode is set to "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic"?</p>
<p>The reason would be to easily apply all filter rules for a typical hub-spoke setup.</p>