Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Nov 2014 11:07:40 +0100
From:      VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: Problem with IPSec tunnel and normal routing
Message-ID:  <20141118100739.GB18512@zeninc.net>
In-Reply-To: <A32EF05605EDD3E5EF0F7608@[172.16.2.28]>
References:  <A32EF05605EDD3E5EF0F7608@[172.16.2.28]>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi.


On Tue, Nov 18, 2014 at 10:52:50AM +0100, G?ran L?wkrantz wrote:
> We have a problem with a NanoBSD GW/Router that seems to get it's
> forwarding screwed up by an IPSec tunnel.
> 
>   +----+                                       +-------+
>   |    |         +----+                        |       |    +-- A
> 2 -+    |         |    |                        |       |    |
> 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B
> 4 -+    |         |    |                        | endp  |    |
>   |    |         +----+                        |       |    +-- C
>   +----+                                       +-------+
> 
> Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches.
> Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches
> Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch
> 
> DMZ   - em5 - XXX.XXX.XXX.128/27  - DMZ and transfer net to outside.
> IPSec endp  - YYY.YYY.YYY.2
> 
> Net A - 192.168.45.129/32
> Net B - 192.168.45.130/32
> Net C - 192.168.40.8/29
> 
> Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C.
> 
> GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE
> #0 r274192
> IKEv1 etc. is handled by strongswan-5.2.0_1
> Left IPSec endpoint is a Clavister VPN GW.
> 
> After a host on Net 3 has connected through the tunnel to
> 192.168.45.129 via a NATed VMWare Fusion connection, traffic from
> that host is received correctly at the GW on Net 3  (em1) but the
> response from the GW is sent out via the DMZ interface em5.
> Switching the host to Net 4 i.e. disconnecting the network cable and
> starting the WiFi restores connectivity.
> 
> Other hosts on Net 3 that has not communicated via the IPSec tunnel
> is NOT affected.
> 
> All routing seems to be correct on the GW so some other mechanism
> must be at play.
> 
> Any help appreciated.

Could you please send us at least a dump of your SPD and routing
configuration ?


Yvan.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141118100739.GB18512>