Using /32 groups in ipsec causing leaks

Solution In Progress - Updated -

Issue

When an opportunistic IPsec group (eg a line in /etc/ipsec.d/policies/private/) uses a /32, a /32 trigger (%trap) policy is installed to catch ondemand traffic.

Once packet triggered, an IPsec SA is installed which has the same /32 policy.
Upon deletion (eg idle connection is torn down, or the other end sends a delete) , the ipsec policy is removed, but it is assumed the opportunistic IPsec group policy is still there to re-trigger on demand. But because both group and instance had a /32 they overwrote each other and there is no more group policy left to trigger packets on demand. Traffic will leak in the clear and no IPsec can be triggered until a restart.

A workaround could be to set the group policy to a /30 if the extra IP address can either participate in OE IPsec or is unused.

Environment

RHEL 7.6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content