Last weekend we had an automatic security upgrade on one of our VPN gateways that connect sites to our cloud environment. After performing troubleshooting (via basic network troubleshooting e.g. via Wireshark) we identified one of the most recent security updates to be the cause of this. We have restored the system back to a known good state and have set (we believe to be) affected packages on hold.
It is a Ubuntu 20.04 LTS instance on AWS with linux-image-aws installed. We are using IPsec to connect several EdgeRouters to a private cloud environment.
After the upgrade all sites connect and communicate as usual, e.g. ICMP is working but we are unable to access certain services (such as RDP or SMB) in the private cloud environment.
The change logs for the related packages don’t show any obvious linked change, so I am wondering if I am missing something fundamental. This configuration/setup has worked well for over a year now with no issues.
Known good version: linux-image-aws 18.104.22.1681.43~20.04.13
Problematic version: linux-image-aws 22.214.171.1242.44~20.04.14 and onwards (we have also tested latest 5.11 which seems to be affected)
IPsec configuration extract
# MAIN IPSEC VPN CONFIG config setup conn %default keyexchange=ikev1 # <REMOVED> conn peer-rt1.<REMOVED>.net.au-tunnel-1 left=%any right=rt1.<REMOVED>.net.au rightid="%any" leftsubnet=172.31.0.0/16 rightsubnet=10.35.0.0/16 ike=aes128-sha1-modp2048! keyexchange=ikev1 ikelifetime=28800s esp=aes128-sha1-modp2048! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret auto=route keyingtries=%forever dpddelay=30s dpdtimeout=120s dpdaction=restart
Thank you in advance.