Problem with IPSec tunnel and normal routing
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Tue Nov 18 10:07:43 UTC 2014
Hi.
On Tue, Nov 18, 2014 at 10:52:50AM +0100, G?ran L?wkrantz wrote:
> We have a problem with a NanoBSD GW/Router that seems to get it's
> forwarding screwed up by an IPSec tunnel.
>
> +----+ +-------+
> | | +----+ | | +-- A
> 2 -+ | | | | | |
> 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B
> 4 -+ | | | | endp | |
> | | +----+ | | +-- C
> +----+ +-------+
>
> Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches.
> Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches
> Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch
>
> DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside.
> IPSec endp - YYY.YYY.YYY.2
>
> Net A - 192.168.45.129/32
> Net B - 192.168.45.130/32
> Net C - 192.168.40.8/29
>
> Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C.
>
> GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE
> #0 r274192
> IKEv1 etc. is handled by strongswan-5.2.0_1
> Left IPSec endpoint is a Clavister VPN GW.
>
> After a host on Net 3 has connected through the tunnel to
> 192.168.45.129 via a NATed VMWare Fusion connection, traffic from
> that host is received correctly at the GW on Net 3 (em1) but the
> response from the GW is sent out via the DMZ interface em5.
> Switching the host to Net 4 i.e. disconnecting the network cable and
> starting the WiFi restores connectivity.
>
> Other hosts on Net 3 that has not communicated via the IPSec tunnel
> is NOT affected.
>
> All routing seems to be correct on the GW so some other mechanism
> must be at play.
>
> Any help appreciated.
Could you please send us at least a dump of your SPD and routing
configuration ?
Yvan.
More information about the freebsd-stable
mailing list