Bug 4479 - GRE over IPSec state issues - Anyone tried on 2.3?



  • https://redmine.pfsense.org/issues/4479
    On pfSense 2.2.x (2.2.6 for me), state issues per this bug with GRE over IPSec (there are a few other bug reports and forum posts, but this is the most concise I think) are causing a few issues:

    • I have to keep all firewalling stateless. That is, create to/from rules with no state and all flags. This is messy, and I don't love from a security perspective (i.e. if SSH daemon was stopped and someone wanted to be malicious, any traffic coming from src port 22 on my SSH target box to the destination network would be passed, rather than just that with state for return traffic).

    • It seems that the default block rule for IPv4 isn't working for ICMP, or something like that - test pings coming over the GRE tunnel destined for 8.8.8.8 pass, and they definitely shouldn't. HTTP/HTTPS and other TCP protocols seem properly blocked.

    Has anyone had this problem on 2.3 nightly / beta / RC? I'm considering an upgrade now, but want to know if it would be futile.
    I'd love to just use OpenVPN or even IPSec tunneling, but I don't control the other side of the tunnel :/



  • Bumping the thread so it may get some attention.

    The problem still occurs on 2.3. Does anyone know if this is an issue on stock FreeBSD 10.3?