Enhancement #3393
ipsec tunnel restart blocks udp traffic
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.8-beta1 | |||
Resolution: | NEEDINFO: | No |
Description
When an ipsec tunnel goes down, udp traffic to remote network doesn't restart when the tunnel comes back.
The problem is often seen with sip phones connected to a pbx at the other side of the tunnel.
Steps to reproduce:
1. close tunnel
2. restart phone
As a proof of the problem, look for conntrack entry using the public wan ip address instead of the lan address.
Related issues
Associated revisions
firewall: block traffic if ipsec tunnel is not established. Refs #3393
firewall: block traffic if ipsec tunnel is not established. Refs #3393
History
#1 Updated by Filippo Carletti about 5 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
I fixed the problem rejecting unencrypted traffic to the remote lan.
[root@nethsecurity ~]# cat /etc/e-smith/templates-custom/etc/shorewall/rules/98ipsec ?COMMENT filippo tunnel ipsec REJECT loc net:192.168.6.0/24
#2 Updated by Filippo Carletti about 5 years ago
- Subject changed from ipsec tunnel restart block udp traffic to ipsec tunnel restart blocks udp traffic
#3 Updated by Giacomo Sanchietti about 5 years ago
- Target version changed from v6.7 to v6.8-beta1
#4 Updated by Giacomo Sanchietti about 5 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti about 5 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti about 5 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-ipsec-1.1.6-1.1.g4ebeef4.ns6.noarch.rpm
#7 Updated by Filippo Carletti about 5 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
After updating a system with some tunnels active, the following lines were added to the rules:
+?COMMENT reject ipsec-tunnel: xy +REJECT loc net:192.168.x.0/24 +?COMMENT +?COMMENT reject ipsec-tunnel: nh-y +REJECT loc net:192.168.y.0/24 +?COMMENT +?COMMENT reject ipsec-tunnel: test-z +REJECT loc net:10.10.z.0/24 +?COMMENT
VPN traffic is not blocked.
To test udp traffic I torn down the tunnels, stopped a iax trunk (module unload chan_iax2.so), check the connection tracking and re-established the tunnels.
# grep 192.168.x.254 /proc/net/nf_conntrack | grep 4569 ipv4 2 udp 17 176 src=192.168.y.252 dst=192.168.x.254 sport=4569 dport=4569 src=192.168.x.254 dst=192.168.y.252 sport=4569 dport=4569 [ASSURED] mark=0 secmark=0 use=2
Without this patch, the expected ip is the public ip address.
#8 Updated by Giacomo Sanchietti about 5 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- 6.8/nethserver-base: nethserver-ipsec-1.1.7-1.ns6.noarch.rpm
- 7.2/nethserver-testing: nethserver-ipsec-1.1.7-1.13.g895487e.ns7.noarch.rpm
#9 Updated by Filippo Carletti about 5 years ago
- Related to Bug #3416: ipsec tunnel: properly reject unencrypted traffic added