ipsec routing issues

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ipsec routing issues

Rudy Baker
Hi, im not sure if this is some kind of bug or by design but I thought
i would ask.

Firstly check out this diagram I made: http://i.imgur.com/EUXqauH.png
- I hope im allowed to post that link.


The servers have default routes to their firewalls.
Firewall A has a default route to 10.100.100.2
Firewall B has a default route to 10.100.100.1

I turn off ipsec, kill all my tunnels.

Server A can ping Server Z and on both firewalls I see the ICMP
traffic coming on em1. Great, thats exactly what I expected.

In /etc/ipsec.conf on each firewall I set the peer to use the
172.16.0.x IP instead of using what I've set as the default
gateways(don't ask why..).

FW1:
ike esp from 192.168.99.0/24 to 192.168.200.0/24 peer 172.16.0.2

FW2:
ike esp from 192.168.200.0/24 to 192.168.99.0/24 peer 172.16.0.1

I enable isakmpd, enable ipsec, my flows/SADs are good. My continuous
ping still works but now I have no traffic flowing through em1 and all
traffic is encrypted and flowing over em2. I figure that ipsec is
ignoring the routing table and sending that matching traffic to his
peer. I deleted the default routes altogether since no traffic is
being passed through there anymore. All my pings stopped working.

Another interesting thing is it seems like as long as there is any
kind of entry in the routing table for the network you're trying to
reach, it will fix things:

On FW1 and FW2 this fixed my pings between Server A and Server Z:

# route add default 127.0.0.1

That fixes my pings. If I delete all default routes and add static routes:

FW1:
# route delete default
# route add 192.168.200.0/24 127.0.0.1

FW2:
# route delete default
# route add 192.168.99.0/24 127.0.0.1

This also fixes my pings. I can also set the gateway to an IP that
doesn't even exist:

FW1:
# route delete default
# route add 192.168.200.0/24 192.168.99.45

FW2:
# route delete default
# route add 192.168.99.0/24 192.168.200.27

All of these things will fix my connectivity. The moment the route
doesn't exist or I remove the default route it breaks everything.


So I am wondering what is going on. I can fix my pings by adding fake
routes, routes that point at a loopback address and creating default
routes that lead to non-existant IP's, but everything seems to break
if I delete the route altogether.

Hopefully someone here can shed some light. If you need to see any
config files, I can provide them but I felt like it's a pretty
straight forward issue.

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: ipsec routing issues

Maxim Bourmistrov-5
Hey,

to begin with, it would be nice to see output from ‘netstat -rn’ before
you started adding/deleting routes.

//mxb

> On 15 juni 2016, at 22:56, rizz2pro <[hidden email]> wrote:
>
> Hi, im not sure if this is some kind of bug or by design but I thought
> i would ask.
>
> Firstly check out this diagram I made: http://i.imgur.com/EUXqauH.png
> - I hope im allowed to post that link.
>
>
> The servers have default routes to their firewalls.
> Firewall A has a default route to 10.100.100.2
> Firewall B has a default route to 10.100.100.1
>
> I turn off ipsec, kill all my tunnels.
>
> Server A can ping Server Z and on both firewalls I see the ICMP
> traffic coming on em1. Great, thats exactly what I expected.
>
> In /etc/ipsec.conf on each firewall I set the peer to use the
> 172.16.0.x IP instead of using what I've set as the default
> gateways(don't ask why..).
>
> FW1:
> ike esp from 192.168.99.0/24 to 192.168.200.0/24 peer 172.16.0.2
>
> FW2:
> ike esp from 192.168.200.0/24 to 192.168.99.0/24 peer 172.16.0.1
>
> I enable isakmpd, enable ipsec, my flows/SADs are good. My continuous
> ping still works but now I have no traffic flowing through em1 and all
> traffic is encrypted and flowing over em2. I figure that ipsec is
> ignoring the routing table and sending that matching traffic to his
> peer. I deleted the default routes altogether since no traffic is
> being passed through there anymore. All my pings stopped working.
>
> Another interesting thing is it seems like as long as there is any
> kind of entry in the routing table for the network you're trying to
> reach, it will fix things:
>
> On FW1 and FW2 this fixed my pings between Server A and Server Z:
>
> # route add default 127.0.0.1
>
> That fixes my pings. If I delete all default routes and add static routes:
>
> FW1:
> # route delete default
> # route add 192.168.200.0/24 127.0.0.1
>
> FW2:
> # route delete default
> # route add 192.168.99.0/24 127.0.0.1
>
> This also fixes my pings. I can also set the gateway to an IP that
> doesn't even exist:
>
> FW1:
> # route delete default
> # route add 192.168.200.0/24 192.168.99.45
>
> FW2:
> # route delete default
> # route add 192.168.99.0/24 192.168.200.27
>
> All of these things will fix my connectivity. The moment the route
> doesn't exist or I remove the default route it breaks everything.
>
>
> So I am wondering what is going on. I can fix my pings by adding fake
> routes, routes that point at a loopback address and creating default
> routes that lead to non-existant IP's, but everything seems to break
> if I delete the route altogether.
>
> Hopefully someone here can shed some light. If you need to see any
> config files, I can provide them but I felt like it's a pretty
> straight forward issue.
>
> Thanks