12317 – IPsec: IPfire creates incomplete firewall rules when using multiple subnets

Bug 12317 - IPsec: IPfire creates incomplete firewall rules when using multiple subnets

Summary: IPsec: IPfire creates incomplete firewall rules when using multiple subnets

Status:	CLOSED NOTABUG

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	- Unknown - Major Usability
Assignee:	Michael Tremer
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-03-12 15:01 UTC by Larsen
Modified:	2020-03-24 15:38 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Larsen 2020-03-12 15:01:28 UTC

I have an IPsec VPN where the remote site uses two subnets. Those two subnets are entered into the "Remote subnet" field separated by comma: "192.168.23.0/24,192.168.24.0/24"

I can then ping a host in the .23 subnet, but not in the .24 subnet.
This reverses when I reverse the order of the subnets. Configuring it as "192.168.24.0/24,192.168.23.0/24", I can then ping a host in .24, but not in .23 anymore.


Comparing the iptables rules (1 = .23 first; 2 = .24 first):

atl-ipfire:~# diff 1 2
475,476c475,476
< RETURN     all  --  192.168.23.0/24      10.160.85.0/24       policy match dir in pol ipsec reqid 24 proto 50
< MARK       all  --  10.160.85.0/24       192.168.23.0/24      policy match dir out pol ipsec reqid 24 proto 50 MARK set 0x32
---
> RETURN     all  --  192.168.24.0/24      10.160.85.0/24       policy match dir in pol ipsec reqid 25 proto 50
> MARK       all  --  10.160.85.0/24       192.168.24.0/24      policy match dir out pol ipsec reqid 25 proto 50 MARK set 0x32
489c489
< RETURN     all  --  192.168.23.0/24      10.160.85.0/24       policy match dir in pol ipsec reqid 24 proto 50
---
> RETURN     all  --  192.168.24.0/24      10.160.85.0/24       policy match dir in pol ipsec reqid 25 proto 50
502c502
< MARK       all  --  10.160.85.0/24       192.168.23.0/24      policy match dir out pol ipsec reqid 24 proto 50 MARK set 0x32
---
> MARK       all  --  10.160.85.0/24       192.168.24.0/24      policy match dir out pol ipsec reqid 25 proto 50 MARK set 0x32


Apparently, IPfire only creates iptables rules for the subnet that is entered at the first position.

Comment 1 Larsen 2020-03-12 15:03:35 UTC

My forum thread for reference:
https://community.ipfire.org/t/multiple-subnets-in-ipsec-only-first-one-is-reachable/1488/

Comment 2 Michael Tremer 2020-03-12 17:07:29 UTC

This is working absolutely fine for me. Which release are you on?

Comment 3 Larsen 2020-03-12 18:18:54 UTC

IPFire 2.25 (x86_64) - Core Update 141

Comment 4 Michael Tremer 2020-03-12 19:05:40 UTC

Could you please post the output of "ipsec statusall"?

Comment 5 Larsen 2020-03-13 11:50:48 UTC

atl-ipfire:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1, Linux 4.14.154-ipfire, x86_64):
  uptime: 17 hours, since Mar 12 19:22:06 2020
  malloc: sbrk 2908160, mmap 0, used 1404080, free 1504080
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 13
  loaded plugins: charon aes rc2 des sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp counters
Virtual IP pools (size/online/offline):
  192.168.110.0/24: 254/0/0
Listening IP addresses:
  192.168.120.1
  #our_external_ip#
  10.119.127.1
Connections:
      Customer:  %any...#customer_ip#  IKEv1, dpddelay=30s
      Customer:   local:  [#our_external_ip#] uses pre-shared key authentication
      Customer:   remote: [#customer_ip#] uses pre-shared key authentication
      Customer:   child:  10.160.85.0/24 === 192.168.23.0/24 192.168.24.0/24 TUNNEL, dpdaction=restart
Routed Connections:
     OtherCustomer{5}:  ROUTED, TUNNEL, reqid 1
     OtherCustomer{5}:   10.160.74.0/24 === 10.192.0.0/16
Security Associations (2 up, 0 connecting):
      Customer[17]: ESTABLISHED 68 seconds ago, #our_external_ip#[#our_external_ip#]...#customer_ip#[#customer_ip#]
      Customer[17]: IKEv1 SPIs: 2ece5da10a162596_i bb585b0882e4dfce_r*, pre-shared key reauthentication in 2 hours
      Customer[17]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Customer{51}:  INSTALLED, TUNNEL, reqid 6, ESP SPIs: c1e3691d_i cbccffcb_o
      Customer{51}:  AES_CBC_128/HMAC_SHA2_256_128/MODP_2048, 315934 bytes_i (948 pkts, 1s ago), 148205 bytes_o (848 pkts, 1s ago), rekeying in 44 minutes
      Customer{51}:   10.160.85.0/24 === 192.168.23.0/24

Comment 6 Michael Tremer 2020-03-15 09:06:45 UTC

(In reply to Larsen from comment #5)
>       Customer{51}:   10.160.85.0/24 === 192.168.23.0/24

You only negotiated one subnet. I assume that this is some Cisco equipment that simply does not support more than one subnet. So you can either combine them with a larger subnet mask or you will have to create two separate tunnels.

We unfortunately have no good and easy way to show what has actually been negotiated in the web UI.

Comment 7 Larsen 2020-03-22 10:54:55 UTC

Customer told me this is not some Cisco equipment:

> Securepoint UTM v11.8 - 11.8.7.2
> Running as a virtual appliance on a HyperV-cluster.
> Some other connections are using multiple subnets

Therefore, the problem appears to be with IPFire. Anything I could test to verify it's not?

Comment 8 Larsen 2020-03-23 13:24:22 UTC

Customer just informed us that their Securepoint support told them this might be a problem of negotiating both subnets at once. Hence, this should be done one after another.

Is this possible?

Comment 9 Michael Tremer 2020-03-23 17:59:10 UTC

(In reply to Larsen from comment #7)
> > Securepoint UTM v11.8 - 11.8.7.2
> > Running as a virtual appliance on a HyperV-cluster.

Oh my god!

(In reply to Larsen from comment #8)
> Customer just informed us that their Securepoint support told them this
> might be a problem of negotiating both subnets at once. Hence, this should
> be done one after another.
> 
> Is this possible?

You simply need to configure two tunnels on IPFire. They MUST have the same PSK (I suppose you are not using certificates) and they will only create one IKE instance and two ESPs.

Comment 10 Larsen 2020-03-24 14:46:58 UTC

Apparently I have to use the same local subnet for both remote subnets. Is that correct?

As I first tried it with ".85 -> .23" (first tunnel) and ".86 -> .24" (second tunnel), the second tunnel couldn't be established.

Comment 11 Michael Tremer 2020-03-24 14:55:01 UTC

(In reply to Larsen from comment #10)
> Apparently I have to use the same local subnet for both remote subnets. Is
> that correct?

Yes, you only have one subnet anyways, don't you?

> As I first tried it with ".85 -> .23" (first tunnel) and ".86 -> .24"
> (second tunnel), the second tunnel couldn't be established.

I am not sure what those numbers are supposed to represent.

Comment 12 Larsen 2020-03-24 15:08:48 UTC

I specify those myself, so in principle I can have a lot of them.

Main reason being as I don't have much knowledge there, it was simply more intuitive for me to use a separate local subnet for each different remote subnet.


> > As I first tried it with ".85 -> .23" (first tunnel) and ".86 -> .24"
> > (second tunnel), the second tunnel couldn't be established.
> 
> I am not sure what those numbers are supposed to represent.

Shortened form of the local/remote subnet.

Comment 13 Larsen 2020-03-24 15:09:11 UTC

Oh, and thanks of course! =)

Comment 14 Michael Tremer 2020-03-24 15:36:23 UTC

(In reply to Larsen from comment #13)
> Oh, and thanks of course! =)

You are welcome. Also, I can only warmly recommend support: https://www.lightningwirelabs.com/products/ipfire/support

Comment 15 Larsen 2020-03-24 15:38:45 UTC

Have already made use of that =)