Results 1 to 3 of 3
  1. #1
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default IPSec Bug - Routes not being dropped

    I'm not sure if this is an Untangle thing, or a StrongSWAN thing. And I haven't fully nailed this down yet, it needs more testing.

    However, I just finished assisting with an Untangle v16.1.1 install. They had four IPSec tunnels connecting to an Amazon network. These tunnels when disabled were not clearing the routes to the target network. So when we brought the new private leased line line online, that obviously needed to connect to the same place... things just wouldn't work.

    To be clear we're replacing IPSec tunnels with a direct Ethernet link to the same network. In this case 10.0.0.0/16.

    So we had four tunnels affording four different IP networks access to 10.0.0.0/16, that when disabled didn't actually remove the routes to the network, and despite BGP or static routing configuration stating clearly otherwise, the Ethernet frames were going out on the IPSec instead of the appropriate interface, in this case eth4.

    To fix it, we had to remove the IPSec tunnels in question entirely, and reboot the Untangle server to flush the routes. Once that reboot was done, the new interface came online as configured.

    So any Untangle DEVs, please test this when you get a moment. Because we shouldn't have to reboot Untangle to clear routes. For that matter there shouldn't be active routes in the system from disabled tunnels. But that doesn't mean it's Untangle's fault either, as I said it might be a strongswan issue. I don't know that service well enough myself to know where the problem is.
    Last edited by sky-knight; 07-26-2021 at 02:21 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,243

    Default

    I have seen something like what you experience but that routes are not added.
    Think there is more then a few things that need adjusted in that module.

    But support has not been to any help this far and getting a "engineer" now a days demands well clearance from the all mighty god or something.

    Better to look for another platform for your IPSec Usage.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    I spoke with UT support today and was told they're well aware of the conditions that created my circumstances. But yeah, there are dragons in there. But I hate IPSec and would just assume let it all die in a fire. OpenVPN / Wireguard for me thanks.
    jcoffin likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2