Here is my topology:
- eth1 - 1 static public address W.X.Y.Z with default internet route
- eth2 - 1 local gateway 192.168.0.1/24
- 1 IKEv2 tunnel running via eth1
There is an mangle rule that marks 192.168.0.128/25 (that’s half of the primary local subnet) with “ipsec-hosts” conn-mark and an IPsec mod-config that only catches “ipsec-hosts” for the split-tunneling:
3 ;;; mark-ipsec
chain=forward action=mark-connection src-address=192.168.0.128/25 new-connection-mark=ipsec-hosts connection-mark=no-mark
The result end with 2 src-nat rules that look like this:
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.0.0.X connection-mark=ipsec-hosts
1 ;;; local nat
chain=srcnat action=src-nat src-address=192.168.0.0/24 connection-mark=!ipsec-hosts to-addresses=W.X.Y.Z
The issue comes in when the IPsec tunnel drops and reconnects, it causes all TCP connection tracking to halt for 2-3 seconds, for both “ipsec-hosts” marked connections (which is normal because the tunnel is down) and non “ipsec-hosts” connections, including no-mark ones like traffic which is not part of the ipsec policy.
Is this a bug in ROS or a limitation with the way src-nat works when the dynamic src-nat rule is removed when the tunnel disconnects?
This does not happen when the dynamic src-nat rule is re-added, only when it’s removed on tunnel disconnect.
And it sure does not affect UDP because I left some pings open and I didn’t get any timeouts while the tunnel disconnects, but TCP connections such as RDP ones do disconnect on hosts that are not NAT’ted via IPSec.