Date: Tue, 18 Nov 2014 10:52:50 +0100 From: =?UTF-8?Q?G=C3=B6ran_L=C3=B6wkrantz?= <goran.lowkrantz@ismobile.com> To: freebsd-stable@freebsd.org Subject: Problem with IPSec tunnel and normal routing Message-ID: <A32EF05605EDD3E5EF0F7608@[172.16.2.28]>
next in thread | raw e-mail | index | archive | help
We have a problem with a NanoBSD GW/Router that seems to get it's forwarding screwed up by an IPSec tunnel. +----+ +-------+ | | +----+ | | +-- A 2 -+ | | | | | | 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B 4 -+ | | | | endp | | | | +----+ | | +-- C +----+ +-------+ Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches. Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside. IPSec endp - YYY.YYY.YYY.2 Net A - 192.168.45.129/32 Net B - 192.168.45.130/32 Net C - 192.168.40.8/29 Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C. GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE #0 r274192 IKEv1 etc. is handled by strongswan-5.2.0_1 Left IPSec endpoint is a Clavister VPN GW. After a host on Net 3 has connected through the tunnel to 192.168.45.129 via a NATed VMWare Fusion connection, traffic from that host is received correctly at the GW on Net 3 (em1) but the response from the GW is sent out via the DMZ interface em5. Switching the host to Net 4 i.e. disconnecting the network cable and starting the WiFi restores connectivity. Other hosts on Net 3 that has not communicated via the IPSec tunnel is NOT affected. All routing seems to be correct on the GW so some other mechanism must be at play. Any help appreciated. BR, Goran
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A32EF05605EDD3E5EF0F7608>