Hello misc! We are experiencing what seems to be a routing problem when using ipsec flows and udp traffic.
We are using OpenVPN for the employees to connect from the outside world to our network. It is configured to use UDP. At the same time, this box has an ipsec tunnel configured to talk between different offices in different countries. The problem seems to be that, at some point in time, all the udp packets coming from anywhere end up being routed through the enc0 interface, when some of them (the ones coming through the Internet and not from our other office) should be routed normally, without using any ipsec flow. This of course causes all OpenVPN connection attempts coming from the Internet to fail, as they will never receive an aswer from the server. This is not the first time we've encountered this behaviour. I've also seen this happening when using named together with ipsec tunnels. The very same thing would happen (ie, packets that should go to the Internet being routed via enc0). We have just realised that in both cases, OpenVPN and named, UDP might be in use. When the OpenVPN server begins to "misbehave", I can still connect via ssh from the Internet (thus discarding TCP issues). To solve this we have to flush the ipsec tunnels. This seems to solve the issue. The pf rules seem to be alright, keeping state for udp connections. The only thing that we may be doing wrong is the ipsec flow configuration, but why would it work for some time, to show the detailed behaviour only after a couple of hours? I'll appreciate your input, Martmn.
