Question

Hello,

Stopping an IPsec tunnel cause the "Exclude-IPsec-from-NAT" rule to be deleted from the NAT table, unfortunately it is not restored when the tunnel is restarted.

With the tunnel up:

root@lgrrutx:~# ipsec status
Security Associations (1 up, 0 connecting):
totsinuc-totsinuc_c[1]: ESTABLISHED 15 minutes ago, 100.74.193.16[lgrrutx]...xxx[yyy]
totsinuc-totsinuc_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1b95483_i cadf7ee0_o
totsinuc-totsinuc_c{1}:   172.31.254.18/32 === 172.31.254.0/24
root@lgrrutx:~# iptables -t nat -n -L | grep 'pol ipsec'
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec /* !fw3: Exclude-IPsec-from-NAT */

Tunnel stopped via the UI:

​​​​​​​root@lgrrutx:~# ipsec status
root@lgrrutx:~# iptables -t nat -n -L | grep 'pol ipsec'

Tunnel restarted:

​​​​​​​root@lgrrutx:~# ipsec status
Security Associations (1 up, 0 connecting):
totsinuc-totsinuc_c[1]: ESTABLISHED 12 seconds ago, 100.74.193.16[lgrrutx]...xxx[yyy]
totsinuc-totsinuc_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c4385ea2_i c2330f4a_o
totsinuc-totsinuc_c{1}:   172.31.254.18/32 === 172.31.254.0/24
root@lgrrutx:~# iptables -t nat -n -L | grep 'pol ipsec'
root@lgrrutx:~#

Of course in this state the tunnel is unusable. This issue is not new.

Regards,

Answer 1

Hello,

Thank you for informing us.

I will forward this issue to the development team.

Best regards,

Comments

As you are at it enable the rule by default. It does nothing if there is no active ipsec tunnel and is required for it to be usable.