Hey, to begin with, it would be nice to see output from ‘netstat -rn’ before you started adding/deleting routes.
//mxb > On 15 juni 2016, at 22:56, rizz2pro <rizzz2...@gmail.com> wrote: > > Hi, im not sure if this is some kind of bug or by design but I thought > i would ask. > > Firstly check out this diagram I made: http://i.imgur.com/EUXqauH.png > - I hope im allowed to post that link. > > > The servers have default routes to their firewalls. > Firewall A has a default route to 10.100.100.2 > Firewall B has a default route to 10.100.100.1 > > I turn off ipsec, kill all my tunnels. > > Server A can ping Server Z and on both firewalls I see the ICMP > traffic coming on em1. Great, thats exactly what I expected. > > In /etc/ipsec.conf on each firewall I set the peer to use the > 172.16.0.x IP instead of using what I've set as the default > gateways(don't ask why..). > > FW1: > ike esp from 192.168.99.0/24 to 192.168.200.0/24 peer 172.16.0.2 > > FW2: > ike esp from 192.168.200.0/24 to 192.168.99.0/24 peer 172.16.0.1 > > I enable isakmpd, enable ipsec, my flows/SADs are good. My continuous > ping still works but now I have no traffic flowing through em1 and all > traffic is encrypted and flowing over em2. I figure that ipsec is > ignoring the routing table and sending that matching traffic to his > peer. I deleted the default routes altogether since no traffic is > being passed through there anymore. All my pings stopped working. > > Another interesting thing is it seems like as long as there is any > kind of entry in the routing table for the network you're trying to > reach, it will fix things: > > On FW1 and FW2 this fixed my pings between Server A and Server Z: > > # route add default 127.0.0.1 > > That fixes my pings. If I delete all default routes and add static routes: > > FW1: > # route delete default > # route add 192.168.200.0/24 127.0.0.1 > > FW2: > # route delete default > # route add 192.168.99.0/24 127.0.0.1 > > This also fixes my pings. I can also set the gateway to an IP that > doesn't even exist: > > FW1: > # route delete default > # route add 192.168.200.0/24 192.168.99.45 > > FW2: > # route delete default > # route add 192.168.99.0/24 192.168.200.27 > > All of these things will fix my connectivity. The moment the route > doesn't exist or I remove the default route it breaks everything. > > > So I am wondering what is going on. I can fix my pings by adding fake > routes, routes that point at a loopback address and creating default > routes that lead to non-existant IP's, but everything seems to break > if I delete the route altogether. > > Hopefully someone here can shed some light. If you need to see any > config files, I can provide them but I felt like it's a pretty > straight forward issue. > > Thanks
