Bug 12866

Summary: Some firewall rules are missing for IPsec N2N connections
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact: Michael Tremer <michael.tremer>
Severity: Major Usability    
Priority: - Unknown - CC: christian.keck
Version: 2   
Hardware: unspecified   
OS: Unspecified   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12808

Description Peter Müller 2022-05-18 15:33:49 UTC 
https://community.ipfire.org/t/core-update-167-ipsec-issue/7893/

I was able to reproduce this issue with an IPsec N2N connection between two IPFire machines running Core Update 167.

Chain IPSECINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8  2300 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
   17  5193 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500

Chain IPSECOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   15  3840 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
   44  9068 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500

While the IPsec tunnel is established properly, no traffic flows through it, and messages like these suggest we cannot scrap ESP from the firewall rules installed when a tunnel comes up.

May 18 17:25:25 firewall kernel: DROP_INPUT IN=ppp0 OUT= MAC= SRC=x DST=x LEN=140 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=ESP SPI=0xcb18bb02 MARK=0x8000cb00 
May 18 17:25:26 firewall kernel: DROP_INPUT IN=ppp0 OUT= MAC= SRC=x DST=x LEN=140 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=ESP SPI=0xcb18bb02 MARK=0x8000cb00 
May 18 17:25:27 firewall kernel: DROP_INPUT IN=ppp0 OUT= MAC= SRC=x DST=x LEN=140 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=ESP SPI=0xcb18bb02 MARK=0x8000cb00 

Root cause: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=28f659f75cfbbf21cd0fb8dd55b41af4203a0ecc
Comment 2 Michael Tremer 2022-05-18 16:02:24 UTC 
(In reply to Peter Müller from comment #1)
> https://patchwork.ipfire.org/project/ipfire/patch/64c47b49-abd0-737b-5a93-
> 6b621be190e2@ipfire.org/

This is not the solution then. The original commit fixes a problem which is now back.

If you want to keep the ESP/AH rules, they would have to be implemented on their own again.