FOR TIPS, gUIDES & TUTORIALS

Question

Hello,

Stopping an IPsec tunnel cause the "Exclude-IPsec-from-NAT" rule to be deleted from the NAT table, unfortunately it is not restored when the tunnel is restarted.

With the tunnel up:

[email protected]:~# ipsec status
Security Associations (1 up, 0 connecting):
totsinuc-totsinuc_c[1]: ESTABLISHED 15 minutes ago, 100.74.193.16[lgrrutx]...xxx[yyy]
totsinuc-totsinuc_c{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1b95483_i cadf7ee0_o
totsinuc-totsinuc_c{1}: 172.31.254.18/32 === 172.31.254.0/24
[email protected]:~# iptables -t nat -n -L | grep 'pol ipsec'
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec /* !fw3: Exclude-IPsec-from-NAT */

Tunnel stopped via the UI:

[email protected]:~# ipsec status
[email protected]:~# iptables -t nat -n -L | grep 'pol ipsec'

Tunnel restarted:

[email protected]:~# ipsec status
Security Associations (1 up, 0 connecting):
totsinuc-totsinuc_c[1]: ESTABLISHED 12 seconds ago, 100.74.193.16[lgrrutx]...xxx[yyy]
totsinuc-totsinuc_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c4385ea2_i c2330f4a_o
totsinuc-totsinuc_c{1}:   172.31.254.18/32 === 172.31.254.0/24
[email protected]:~# iptables -t nat -n -L | grep 'pol ipsec'
[email protected]:~#

Of course in this state the tunnel is unusable. This issue is not new.

Regards,

ZygimantasBliu · Answer 1 · 2022-07-26T13:09:18+0000

commented Jul 26, 2022 by flebourse

FOR TIPS, gUIDES & TUTORIALS

Most popular tags

RUTX11 07.02.4 Exclude-IPsec-from-NAT rule not automatically enabled

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.