ufw blocks ipsec

Bug #606997 reported by MarkG on 2010-07-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jamie Strandboge
ufw (Ubuntu)
Jamie Strandboge
Jamie Strandboge

Bug Description

I've had IPSEC working between the Linux machines on my network for about a year using Firestarter as the firewall. I recently decided that I should probably switch to ufw since Firestarter isn't supported anymore, but since then I've found that IPSEC negotiations are unreliable: today, for example, I could see that one of the machines thought it had negotiated an IPSEC connection to another, but no messages were getting through to the other machine.

Looking at the log files I see lots of messages along the lines of:

Jul 18 01:20:23 nightmare kernel: [ 17.670844] [UFW BLOCK] IN=eth0 OUT= MAC=xxxx SRC=xxxx DST=xxxx LEN=120 TOS=0x00 PREC=0x00 TTL=64 ID=6954 DF PROTO=AH SPI=0xbd5df15

So what I don't understand is:

1. Why ufw is blocking a protocol that it apparently gives you no control over? I can't tell it to allow or block AH or ESP.
2. Why it sometimes blocks the protocol and sometimes doesn't?

ufw --version:
ufw 0.30pre1-0ubuntu2
Copyright 2008-2010 Canonical Ltd.

This is Ubuntu 10.04 with the most recent updates.

Related branches

Changed in ufw:
status: New → Confirmed
Changed in ufw:
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

Thanks for the report. I committed a changes to trunk to allow specifying the 'esp' and 'ah' protocols.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: In Progress → Fix Committed
Changed in ufw (Ubuntu Lucid):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in ufw (Ubuntu Maverick):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Changed in ufw (Ubuntu Maverick):
importance: Undecided → High
importance: High → Medium
Changed in ufw (Ubuntu Lucid):
importance: Undecided → Medium
Changed in ufw:
importance: Undecided → Medium
Changed in ufw:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.30.0-1ubuntu1

ufw (0.30.0-1ubuntu1) maverick; urgency=low

  * src/frontend.py: display unicode error messages properly. Thanks to
    Serguey Basalaev.
    - upstream commit r700
    - LP: #580032
  * src/backend_iptables.py: fix gettext warning
    - upstream commit r701
  * run debconf-updatepo, but adjust debian/po/de.po and debian/po/es.po to
    add correct "Language:" tag
  * profiles/ufw-mailserver: remove Postfix specific language
    - upstream commit r705

ufw (0.30.0-1) unstable; urgency=low

  * New upstream release. Use 0.30.0 as the version even though upstream uses
    0.30 in order to sync to Ubuntu. Fixes:
    - LP: #568877
    - LP: #611982
    - LP: #606997
    - LP: #624199
    - LP: #625340
    - LP: #521359
    - LP: #436608
  * don't flush chains if ufw is not enabled (LP: #581744)
  * debian/postinst: don't source /usr/share/debconf/confmodule when $1 =
    triggered. Fix thanks to Colin Watson. (LP: #618410)
  * debian/control:
    - drop versioned depends on iptables. This helps with backporting now that
      the test suite can handle it
    - updated Standards-Version
  * debian/rules:
    - pass interpreter to run_tests.sh
    - don't install upstream application profiles for now
  * add rsyslog support
  * add debian/source/format
  * debian/before6.rules.md5sum: updated for ucf
 -- Jamie Strandboge <email address hidden> Mon, 30 Aug 2010 13:20:58 -0500

Changed in ufw (Ubuntu Maverick):
status: In Progress → Fix Released
no longer affects: ufw (Ubuntu Lucid)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers