On 2019/11/29 iked and isakmpd were changed from installing "USE" flows for inbound IPsec to "REQUIRE" flows, so that unencrypted packets are rejected.
Normally this is good but I ran into a corner case. I have a tunnel from my workstation to private subnets behind a remote router. That remote router also has some rdr-to from one of its public IPs to machines in the subnet: flow esp in from 10.71.0.0/18 to $myworkstation peer $whatever type require flow esp out from $myworkstation to 10.71.0.0/18 peer $whatever type require pass in quick on egress proto tcp to $EXTERNAL_IP port smtp rdr-to 10.71.12.5 ($EXTERNAL_IP is a normal internet-routable IP, not one of the private ones in 10.71/18. $myworkstation is also a normal internet-routable IP, not natted). If I try to connect from $myworkstation to $EXTERNAL_IP this obviously isn't covered by the flow on my workstation so is sent in cleartext. But, because flows match *translated* addresses, it *is* covered by the flow on the remote router and so now that this is a 'require' flow it gets dropped. This at least needs documenting in current.html/upgrade67.html so that people aren't caught by surprise (it took me several days to figure out as I'd forgotten about this commit!) but this would be better if we can show a workaround for people affected by the change. I tried adding a 'type use' flow with ipsecctl but this failed with "writev failed: Invalid argument" (same if I removed the existing 'type require' flow first) - not sure if there's another way to do this. Workarounds on $myworkstation side (split horizon DNS, natting $myworkstation's non-tunnel traffic to $EXTERNAL_IP to another IP) are possible I suppose, but not very appealing. Does anyone have other ideas? (I've just got the commit backed-out for now but that's not good long-term or for users..)
