ipsec tunnel restart blocks udp traffic
When an ipsec tunnel goes down, udp traffic to remote network doesn't restart when the tunnel comes back.
The problem is often seen with sip phones connected to a pbx at the other side of the tunnel.
Steps to reproduce:
1. close tunnel
2. restart phone
As a proof of the problem, look for conntrack entry using the public wan ip address instead of the lan address.
#1 Updated by Filippo Carletti about 4 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
I fixed the problem rejecting unencrypted traffic to the remote lan.
[root@nethsecurity ~]# cat /etc/e-smith/templates-custom/etc/shorewall/rules/98ipsec ?COMMENT filippo tunnel ipsec REJECT loc net:192.168.6.0/24
#7 Updated by Filippo Carletti about 4 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
After updating a system with some tunnels active, the following lines were added to the rules:
+?COMMENT reject ipsec-tunnel: xy +REJECT loc net:192.168.x.0/24 +?COMMENT +?COMMENT reject ipsec-tunnel: nh-y +REJECT loc net:192.168.y.0/24 +?COMMENT +?COMMENT reject ipsec-tunnel: test-z +REJECT loc net:10.10.z.0/24 +?COMMENT
VPN traffic is not blocked.
To test udp traffic I torn down the tunnels, stopped a iax trunk (module unload chan_iax2.so), check the connection tracking and re-established the tunnels.
# grep 192.168.x.254 /proc/net/nf_conntrack | grep 4569 ipv4 2 udp 17 176 src=192.168.y.252 dst=192.168.x.254 sport=4569 dport=4569 src=192.168.x.254 dst=192.168.y.252 sport=4569 dport=4569 [ASSURED] mark=0 secmark=0 use=2
Without this patch, the expected ip is the public ip address.