FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12011 questions

14288 answers

22528 comments

35931 members

0 votes
66 views 1 comments
by

Hello,

Stopping an IPsec tunnel cause the "Exclude-IPsec-from-NAT" rule to be deleted from the NAT table, unfortunately it is not restored when the tunnel is restarted.

With the tunnel up:

root@lgrrutx:~# ipsec status
Security Associations (1 up, 0 connecting):
totsinuc-totsinuc_c[1]: ESTABLISHED 15 minutes ago, 100.74.193.16[lgrrutx]...xxx[yyy]
totsinuc-totsinuc_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1b95483_i cadf7ee0_o
totsinuc-totsinuc_c{1}:   172.31.254.18/32 === 172.31.254.0/24
root@lgrrutx:~# iptables -t nat -n -L | grep 'pol ipsec'
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec /* !fw3: Exclude-IPsec-from-NAT */

Tunnel stopped via the UI:

​​​​​​​root@lgrrutx:~# ipsec status
root@lgrrutx:~# iptables -t nat -n -L | grep 'pol ipsec'

Tunnel restarted:

​​​​​​​root@lgrrutx:~# ipsec status
Security Associations (1 up, 0 connecting):
totsinuc-totsinuc_c[1]: ESTABLISHED 12 seconds ago, 100.74.193.16[lgrrutx]...xxx[yyy]
totsinuc-totsinuc_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c4385ea2_i c2330f4a_o
totsinuc-totsinuc_c{1}:   172.31.254.18/32 === 172.31.254.0/24
root@lgrrutx:~# iptables -t nat -n -L | grep 'pol ipsec'
root@lgrrutx:~#

Of course in this state the tunnel is unusable. This issue is not new.

Regards,

1 Answer

0 votes
by
Hello,

Thank you for informing us.

I will forward this issue to the development team.

Best regards,
by

As you are at it enable the rule by default. It does nothing if there is no active ipsec tunnel and is required for it to be usable.