Enhancement #3393

ipsec tunnel restart blocks udp traffic

Added by Filippo Carletti over 3 years ago. Updated over 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.8-beta1
Resolution: NEEDINFO:No

Description

When an ipsec tunnel goes down, udp traffic to remote network doesn't restart when the tunnel comes back.
The problem is often seen with sip phones connected to a pbx at the other side of the tunnel.

Steps to reproduce:
1. close tunnel
2. restart phone

As a proof of the problem, look for conntrack entry using the public wan ip address instead of the lan address.


Related issues

Related to NethServer 6 - Bug #3416: ipsec tunnel: properly reject unencrypted traffic CLOSED

Associated revisions

Revision 4ebeef47
Added by Giacomo Sanchietti over 3 years ago

firewall: block traffic if ipsec tunnel is not established. Refs #3393

Revision 6472551a
Added by Giacomo Sanchietti over 3 years ago

firewall: block traffic if ipsec tunnel is not established. Refs #3393

History

#1 Updated by Filippo Carletti over 3 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

I fixed the problem rejecting unencrypted traffic to the remote lan.

[root@nethsecurity ~]# cat /etc/e-smith/templates-custom/etc/shorewall/rules/98ipsec 
?COMMENT filippo tunnel ipsec
REJECT loc net:192.168.6.0/24

#2 Updated by Filippo Carletti over 3 years ago

  • Subject changed from ipsec tunnel restart block udp traffic to ipsec tunnel restart blocks udp traffic

#3 Updated by Giacomo Sanchietti over 3 years ago

  • Target version changed from v6.7 to v6.8-beta1

#4 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in 6.8/nethserver-testing:
  • nethserver-ipsec-1.1.6-1.1.g4ebeef4.ns6.noarch.rpm

#7 Updated by Filippo Carletti over 3 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

After updating a system with some tunnels active, the following lines were added to the rules:

+?COMMENT reject ipsec-tunnel: xy
+REJECT loc net:192.168.x.0/24
+?COMMENT
+?COMMENT reject ipsec-tunnel: nh-y
+REJECT loc net:192.168.y.0/24
+?COMMENT
+?COMMENT reject ipsec-tunnel: test-z
+REJECT loc net:10.10.z.0/24
+?COMMENT

VPN traffic is not blocked.

To test udp traffic I torn down the tunnels, stopped a iax trunk (module unload chan_iax2.so), check the connection tracking and re-established the tunnels.

# grep 192.168.x.254 /proc/net/nf_conntrack | grep 4569
ipv4     2 udp      17 176 src=192.168.y.252 dst=192.168.x.254 sport=4569 dport=4569 src=192.168.x.254 dst=192.168.y.252 sport=4569 dport=4569 [ASSURED] mark=0 secmark=0 use=2

Without this patch, the expected ip is the public ip address.

#8 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in
  • 6.8/nethserver-base: nethserver-ipsec-1.1.7-1.ns6.noarch.rpm
  • 7.2/nethserver-testing: nethserver-ipsec-1.1.7-1.13.g895487e.ns7.noarch.rpm

#9 Updated by Filippo Carletti over 3 years ago

  • Related to Bug #3416: ipsec tunnel: properly reject unencrypted traffic added

Also available in: Atom PDF