Туннельный режим IPsec - пинг не будет работать после 15 минут отсутствия трафика

У меня есть соединение IPsec (туннельный режим), которое после примерно 15 минут отсутствия трафика, ping перестает работать и может быть возобновлено, только если ping инициирован с другого конца.

Установка состоит из двух маршрутизаторов, которые используют Linux Openswan 1.5.13-6-g96f6187-dirty (klips)

Ниже приведены конфиги и логи, когда он работает, а когда нет.

Я довольно новичок в IPsec. Я пытался включить rekey и сжатие, но без удачи. Iptables выглядят одинаково, когда пинг работает и перестает работать.

DEVICE_1

config setup interfaces="ipsec0=wwan0" klipsdebug=all plutodebug=all plutostderrlog=/var/logs/ipsecerr.log uniqueids=no protostack=klips  conn %default keyingtries=0 authby=secret connaddrfamily=ipv4 type=tunnel dpddelay=30 dpdtimeout=120 dpdaction=restart compress=no rekey=no auto=start leftupdown="ipsec _updown"  conn remote leftid=@Device_1 left=82.79.119.159 leftsubnet=10.0.0.0/24 leftsourceip=10.0.0.250 #leftnexthop= rightid=@Device_2 right=82.79.119.160 rightsubnet=10.0.1.5/24 #rightsourceip= #rightnexthop= auto=start  conn block auto=ignore  conn private auto=ignore  conn private-or-clear auto=ignore  conn clear-or-private auto=ignore  conn clear auto=ignore  conn packetdefault auto=ignore  conn OEself auto=ignore 

Device_2

config setup interfaces="ipsec0=wwan0" klipsdebug=all plutodebug=all plutostderrlog=/var/logs/ipsecerr.log uniqueids=no protostack=klips  conn %default keyingtries=0 authby=secret connaddrfamily=ipv4 type=tunnel dpddelay=30 dpdtimeout=120 dpdaction=restart compress=no rekey=no auto=start leftupdown="ipsec _updown"  conn remote leftid=@Device_2 left=82.79.119.160 leftsubnet=10.0.1.0/24 leftsourceip=10.0.1.250 #leftnexthop= rightid=@Device_1 right=82.79.119.159 rightsubnet=10.0.0.5/24 #rightsourceip= #rightnexthop= auto=start  conn block auto=ignore  conn private auto=ignore  conn private-or-clear auto=ignore  conn clear-or-private auto=ignore  conn clear auto=ignore  conn packetdefault auto=ignore  conn OEself auto=ignore 

бревна

Когда пинг работает:

ipsec_tunnel_start_xmit: STARTING klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28 klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0 ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested. ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556. klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0 klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0 klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24 klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 . klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84 klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427 klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader. klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:skb_compress: . klips_debug:skb_compress: skipping compression of tiny packet, len=84. klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1). klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50. klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform. klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c32f164c ilen=96 iv=c32f163c, encrypt=1 klips_debug:ipsec_alg_esp_encrypt: returned ret=96 klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29767 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286. klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0 klips_debug:rj_match: **** t=0pc31f8bf8 klips_debug:rj_match: **** t=0pc3172680 klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0 klips_debug:rj_match: ***** not found. klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136 klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136 klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29673 saddr:82.79.119.159 daddr:82.79.119.160 klips_debug: ipsec_rcv_init(st=0,nxt=1) klips_debug:ipsec_rcv_init: <<< Info -- skb->dev=wwan0 klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device wwan0. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:61055 frag_off:0 ttl:63 proto:50 (ESP) chk:63702 saddr:82.79.119.160 daddr:82.79.119.159 klips_debug: ipsec_rcv_decap_init(st=1,nxt=2) klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3) klips_debug: ipsec_rcv_auth_init(st=3,nxt=4) ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=158 of SA:esp.1f2673db@82.79.119.159 requested. ipsec_sa_get: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (3++) incremented by ipsec_sa_getbyid:556. klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159, src=82.79.119.160 of pkt agrees with expected SA source address policy. klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159 First SA in group. klips_debug:ipsec_rcv_auth_init: natt_type=0 tdbp->ips_natt_type=0 : ok klips_debug:ipsec_rcv: packet from 82.79.119.160 received with seq=19 (iv)=0x77865e0e44db14b0 iplen=132 esplen=120 sa=esp.1f2673db@82.79.119.159 klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6) klips_debug:ipsec_rcv_auth_calc: encalg = 12, authalg = 3. klips_debug: ipsec_rcv_auth_chk(st=6,nxt=7) - will check klips_debug:ipsec_rcv_auth_chk: authentication successful. klips_debug: ipsec_rcv_decrypt(st=7,nxt=8) klips_debug:ipsec_rcv: encalg=12 esphlen=24 klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308240 idat=c3bd223c ilen=96 iv=c3bd222c, encrypt=0 klips_debug:ipsec_alg_esp_encrypt: returned ret=96 klips_debug:ipsec_rcv_esp_post_decrypt: padlen=10, contents: 0x<offset>: 0x<value> 0x<value> ... klips_debug: 00: 01 02 03 04 05 06 07 08 09 0a klips_debug:ipsec_rcv_esp_post_decrypt: packet decrypted from 82.79.119.160: next_header = 4, padding = 10 klips_debug:ipsec_rcv: trimming to 84. klips_debug: ipsec_rcv_decap_cont(st=8,nxt=9) klips_debug: ipsec_rcv_auth_chk(st=8,nxt=9) - already checked klips_debug:ipsec_rcv_decap_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.1f2673db@82.79.119.159: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:61055 frag_off:0 ttl:63 proto:4 chk:63796 saddr:82.79.119.160 daddr:82.79.119.159 klips_debug:ipsec_rcv_decap_cont: SA:esp.1f2673db@82.79.119.159, Another IPSEC header to process. klips_debug: ipsec_rcv_cleanup(st=9,nxt=11) ipsec_sa_get: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (3++) incremented by ipsec_rcv_cleanup:1798. ipsec_sa_get: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (3++) incremented by ipsec_rcv_cleanup:1815. ipsec_sa_put: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (4--) decremented by ipsec_rcv_cleanup:1818. klips_debug:ipsec_rcv_decap_ipip: IPIP tunnel stripped. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:34482 frag_off:0 ttl:63 proto:1 (ICMP) chk:57325 saddr:10.0.1.5 daddr:10.0.0.5 type:code=0:0 klips_debug:ipsec_rcv_decap_ipip: IPIP SA sets skb->nfmark=0x800f0000. klips_debug: ipsec_rcv_complete(st=11,nxt=100) klips_debug:ipsec_rcv_complete: netif_rx(ipsec0) called. ipsec_sa_put: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (4--) decremented by ipsec_rsm:2019. ipsec_sa_put: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (4--) decremented by ipsec_rsm:2024. 

Когда пинг не работает:

ipsec_tunnel_start_xmit: STARTING klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28 klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0 ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested. ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556. klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0 klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0 klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24 klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 . klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84 klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427 klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader. klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped. klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0 klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108. klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform. klips_debug:skb_compress: . klips_debug:skb_compress: skipping compression of tiny packet, len=84. klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1). klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286. ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291. klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160 klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50. klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform. klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c320cc4c ilen=96 iv=c320cc3c, encrypt=1 klips_debug:ipsec_alg_esp_encrypt: returned ret=96 klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29765 saddr:82.79.119.159 daddr:82.79.119.160 ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286. klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50 klips_debug:rj_match: * See if we match exactly as a host destination klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0 klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0 klips_debug:rj_match: **** t=0pc31f8bf8 klips_debug:rj_match: **** t=0pc3172680 klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0 klips_debug:rj_match: ***** not found. klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136 klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136 klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0 klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29671 saddr:82.79.119.159 daddr:82.79.119.160  Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface input */ 0 0 ACCEPT udp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */ 0 0 ACCEPT tcp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */ 342 49352 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow incoming WAN traffic in response to established connection */ 0 0 DROP all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 35 11480 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 7 203 ACCEPT all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 27 2268 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Forward new connection attempts out WAN port */ 464 38976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Forward established connections (where?) */  Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface output */ 0 0 ACCEPT udp -- * wwan0 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */ 0 0 ACCEPT tcp -- * wwan0 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */ 0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Allow new outbound WAN connections */ 360 52568 ACCEPT all -- * wwan0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */ 0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */