Problem with IPSec tunnel and normal routing
goran.lowkrantz at ismobile.com
Tue Nov 18 09:52:55 UTC 2014
We have a problem with a NanoBSD GW/Router that seems to get it's
forwarding screwed up by an IPSec tunnel.
| | +----+ | | +-- A
2 -+ | | | | | |
3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B
4 -+ | | | | endp | |
| | +----+ | | +-- C
Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches.
Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches
Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch
DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside.
IPSec endp - YYY.YYY.YYY.2
Net A - 192.168.45.129/32
Net B - 192.168.45.130/32
Net C - 192.168.40.8/29
Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C.
GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE #0
IKEv1 etc. is handled by strongswan-5.2.0_1
Left IPSec endpoint is a Clavister VPN GW.
After a host on Net 3 has connected through the tunnel to 192.168.45.129
via a NATed VMWare Fusion connection, traffic from that host is received
correctly at the GW on Net 3 (em1) but the response from the GW is sent
out via the DMZ interface em5.
Switching the host to Net 4 i.e. disconnecting the network cable and
starting the WiFi restores connectivity.
Other hosts on Net 3 that has not communicated via the IPSec tunnel is NOT
All routing seems to be correct on the GW so some other mechanism must be
Any help appreciated.
More information about the freebsd-stable