[Bug] Reproduced bug with IPSec Routed and an routing entry getting lost.

Started by mrzaz, April 01, 2021, 01:33:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 01, 2021, 01:33:06 AM Last Edit: April 01, 2021, 08:01:47 PM by mrzaz
Hello,

I have found a reproducible bug with IPSec Routed and a routing entry getting lost causing issues to ping/reach remote tunnel-IP.

Prerequsit:
- Tested with 21.1.4
- Setup IPSec Routed in both end. 
example:
I have a IPSec routed net with phase1 and phase2 setup with a tunnel-net 10.6.110.0/30.
Router1   10.6.110.1/30     (LAN: 192.168.120.221/24)
Router2   10.6.110.2/30     (LAN: 192.168.120.231/24)
- Have enabled "Dynamic gateway policy" and it has created the Dynamic Gateways in the gateway tab.
- I have also added rule on IPSec+VTI_ifc+LAN with a "Allow Firewall to respond to pings"
  Dir: in, IPv4, ICMP, Any, This Firewall
- Configured the dynamicly created gateways with "Far Gateway"

1. restart routers. Both routers have the following entries. (reversed order in router2)
Destination        Gateway            Flags     Netif Expire
default            178.132.73.97      UGS      vtnet0
10.6.110.1         link#7             UHS         lo0
10.6.110.2         link#7             UH       ipsec1

2. Go to Gateways and edit the dynamic gateway created from IPsec.

3. Untick the "Disable Gateway Monitoring" and enter the tunnelIP on the other side and press APPLY.
(eg. 10.6.110.2)

4. Go to Gateways and edit the dynamic gateway created from IPsec again.

5. Tick the "Disable Gateway Monitoring" and remove the tunnelIP so editbox is blank and press APPLY.

6. Now the routing table has lost one entry. (the "10.6.110.2         link#7             UH       ipsec1"
Destination        Gateway            Flags     Netif Expire
default            178.132.73.97      UGS      vtnet0
10.6.110.1         link#7             UHS         lo0

This is a bug.

Have now been issued in:
https://github.com/opnsense/core/issues/4888

Also another issue seen is that even when both entries exists and you could ping the remote tunnel IP both from commandline or through OPNSense webgui, if you enable gateway monitoring the monitorIP shows as blank and Gateway also blank and it is always OFFLINE.

I found the following in github that looks like the problem.
https://github.com/opnsense/core/issues/4676

In pfSense, from where I am currently migrating from to OPNSense (which will be my router to use in the future), the IPSecRouted dynamicly created gateways always picks up and shows the Gateway IP and the Monitor IP even if IP says "dynamic".  This could possible be an additional bug.

Best regards
Dan Lundqvist
Stockholm, Sweden
Best regards
Dan Lundqvist (mrzaz)

"It's better to burn up, than fade away..." (Highlander)
Print
Go Up Pages1
User actions