ipsec: Open ports in outgoing direction

When the firewall policy is blocked, no outgoing IPsec connections
can be established. That is slightly counter-intuitive since we
open ports in the incoming direction automatically.

Fixes: #11704
Reported-by: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index 204753640a5bea3f42f783d3bcae3f05cad9b82c..9afc409ca96c2792a10f6750143f6b58038dd1f7 100644 (file)
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -63,6 +63,10 @@ void open_physical (char *interface, int nat_traversal_port) {
         safe_system(str);
         sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport 500 -j ACCEPT", interface);
         safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+        safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport 500 -j ACCEPT", interface);
+        safe_system(str);
 
         if (! nat_traversal_port) 
             return;
@@ -71,6 +75,10 @@ void open_physical (char *interface, int nat_traversal_port) {
         safe_system(str);
         sprintf(str, "/sbin/iptables --wait -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
         safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -D IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+        safe_system(str);
+        sprintf(str, "/sbin/iptables --wait -A IPSECOUTPUT -p udp -o %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+        safe_system(str);
 }
 
 void ipsec_norules() {