From owner-freebsd-stable@FreeBSD.ORG Tue Nov 18 09:52:55 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D981B2B8 for ; Tue, 18 Nov 2014 09:52:55 +0000 (UTC) Received: from mail.ismobile.com (mail.ismobile.com [176.57.193.164]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.ismobile.com", Issuer "GlobalSign Domain Validation CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8B590C12 for ; Tue, 18 Nov 2014 09:52:55 +0000 (UTC) Received: from mail.ismobile.com (localhost [127.0.0.1]) by dkim.mail.ismobile.com (Postfix) with ESMTP id C22892B54A1 for ; Tue, 18 Nov 2014 09:52:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ismobile.com; h=date:from :to:subject:message-id:mime-version:content-type :content-transfer-encoding; s=selector1; bh=iJFlSFQI7rBZgEZwCutM yMVTyrU=; b=nxFMLlQ1zjuiS29NMO8AERXxIta0GsNcYipn0DcFVBUm4LVCkf5k d6jnHRaeFMX+XxvL5HV1bmk+8Ydarzz5849RlynCBoaGAVqVzKRuL3+MRsLmmaEc +CHJljQIg9cSOvJ7TyJcKCD1AGoRVhbLAkrkyKc3SVMqjW+6u1x868o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=ismobile.com; h=date:from:to :subject:message-id:mime-version:content-type :content-transfer-encoding; q=dns; s=selector1; b=DCj/oCnyK2QGlr QsWTV5EV6Q/KO4svPyy0ZnHpEUeXfO39JpE1r7bxcIFHLIX/CHeIQZue5HUod3Ch hfYJFJF8a7xyuVimnkvGewOl/nZeFmKyYFlePLVLYZtDsyqDdGrmLBR4h2TulQUn Aehgt/G40AVTXwKgN1a4wr3D7IehI= Received: from [172.16.2.28] (glz-macbookpro.hq.ismobile.com [172.16.2.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ismobile.com (Postfix) with ESMTPSA id 906012B54A0 for ; Tue, 18 Nov 2014 09:52:50 +0000 (UTC) Date: Tue, 18 Nov 2014 10:52:50 +0100 From: =?UTF-8?Q?G=C3=B6ran_L=C3=B6wkrantz?= To: freebsd-stable@freebsd.org Subject: Problem with IPSec tunnel and normal routing Message-ID: X-Mailer: Mulberry/4.1.0a3 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline; size=1716 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2014 09:52:55 -0000 We have a problem with a NanoBSD GW/Router that seems to get it's forwarding screwed up by an IPSec tunnel. +----+ +-------+ | | +----+ | | +-- A 2 -+ | | | | | | 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B 4 -+ | | | | endp | | | | +----+ | | +-- C +----+ +-------+ Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches. Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch DMZ - em5 - XXX.XXX.XXX.128/27 - DMZ and transfer net to outside. IPSec endp - YYY.YYY.YYY.2 Net A - 192.168.45.129/32 Net B - 192.168.45.130/32 Net C - 192.168.40.8/29 Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C. GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE #0 r274192 IKEv1 etc. is handled by strongswan-5.2.0_1 Left IPSec endpoint is a Clavister VPN GW. After a host on Net 3 has connected through the tunnel to 192.168.45.129 via a NATed VMWare Fusion connection, traffic from that host is received correctly at the GW on Net 3 (em1) but the response from the GW is sent out via the DMZ interface em5. Switching the host to Net 4 i.e. disconnecting the network cable and starting the WiFi restores connectivity. Other hosts on Net 3 that has not communicated via the IPSec tunnel is NOT affected. All routing seems to be correct on the GW so some other mechanism must be at play. Any help appreciated. BR, Goran