| Summary: | Core Update 165 (testing): charon logs iptables warnings while establishing an IPsec connection | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Peter Müller <peter.mueller> |
| Component: | --- | Assignee: | Michael Tremer <michael.tremer> |
| Status: | CLOSED FIXED | QA Contact: | Peter Müller <peter.mueller> |
| Severity: | Balancing | ||
| Priority: | Will affect most users | CC: | michael.tremer |
| Version: | 2 | ||
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugzilla.ipfire.org/show_bug.cgi?id=12866 | ||
|
Description
Peter Müller
2022-03-20 09:34:52 UTC
I have noticed this too. Can you find out what the full command line was that lead to this problem? I believe this is caused by lines 109 and 117 in our strongSwan patch: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/patches/strongswan-ipfire.patch;h=0f137ca2a821630c482d428e57f78d32aaf6bf2d;hb=HEAD#l109 However, I do not completely understand what we are doing here, but creating an iptables rule for the protocol "IP" does not seem to make sense indeed. (In reply to Peter Müller from comment #2) > I believe this is caused by lines 109 and 117 in our strongSwan patch: > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/patches/strongswan- > ipfire.patch;h=0f137ca2a821630c482d428e57f78d32aaf6bf2d;hb=HEAD#l109 Yes, this is the place where this goes wrong. > However, I do not completely understand what we are doing here, but creating > an iptables rule for the protocol "IP" does not seem to make sense indeed. It does if you are using any IPinIP encapsulation. This bug has been introduced with the iana-etc update in: > https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=fb3e1c82c8b5e12314e87ea4641479bd1f4052fd /etc/protocols contains a list of protocols and "IP" has been removed from it. I will send a patch that changes the iptables command in this script so this will work. Give me some time for this to check whether we need the AH and ESP rules still. |