From owner-freebsd-stable@FreeBSD.ORG Tue Nov 18 10:07:43 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79545690 for ; Tue, 18 Nov 2014 10:07:43 +0000 (UTC) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id F11FBD42 for ; Tue, 18 Nov 2014 10:07:41 +0000 (UTC) Received: from nono (nono.zen.inc [192.168.1.95]) by smtp.zeninc.net (smtpd) with ESMTP id 6780D2798C6 for ; Tue, 18 Nov 2014 11:07:40 +0100 (CET) Received: by nono (Postfix, from userid 1000) id 4AD8220A6C; Tue, 18 Nov 2014 11:07:40 +0100 (CET) Date: Tue, 18 Nov 2014 11:07:40 +0100 From: VANHULLEBUS Yvan To: freebsd-stable@freebsd.org Subject: Re: Problem with IPSec tunnel and normal routing Message-ID: <20141118100739.GB18512@zeninc.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: All mail clients suck. This one just sucks less. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2014 10:07:43 -0000 Hi. On Tue, Nov 18, 2014 at 10:52:50AM +0100, G?ran L?wkrantz wrote: > We have a problem with a NanoBSD GW/Router that seems to get it's > forwarding screwed up by an IPSec tunnel. > > +----+ +-------+ > | | +----+ | | +-- A > 2 -+ | | | | | | > 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B > 4 -+ | | | | endp | | > | | +----+ | | +-- C > +----+ +-------+ > > Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches. > Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches > Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch > > DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside. > IPSec endp - YYY.YYY.YYY.2 > > Net A - 192.168.45.129/32 > Net B - 192.168.45.130/32 > Net C - 192.168.40.8/29 > > Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C. > > GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE > #0 r274192 > IKEv1 etc. is handled by strongswan-5.2.0_1 > Left IPSec endpoint is a Clavister VPN GW. > > After a host on Net 3 has connected through the tunnel to > 192.168.45.129 via a NATed VMWare Fusion connection, traffic from > that host is received correctly at the GW on Net 3 (em1) but the > response from the GW is sent out via the DMZ interface em5. > Switching the host to Net 4 i.e. disconnecting the network cable and > starting the WiFi restores connectivity. > > Other hosts on Net 3 that has not communicated via the IPSec tunnel > is NOT affected. > > All routing seems to be correct on the GW so some other mechanism > must be at play. > > Any help appreciated. Could you please send us at least a dump of your SPD and routing configuration ? Yvan.