Bug #9022
closed
Policy Routing an Exception to an IPsec Tunnel Drops Reply Traffic
0%
Description
Site A
Tunnel Local 172.25.234.0/24 Remote 192.168.223.0/24
Site B
Tunnel Local 192.168.223.0/24 Remote 172.25.234.0/24
192.168.223.0/24 is accessible by both firewalls out WAN. Both sites perform outbound NAT to reach it.
Place a policy routing rule on Site A LAN forcing ICMP to 192.168.223.6/32 out the WAN gateway.
Ping 192.168.223.1 and 192.168.223.6
Pings to 192.168.223.1 succeed (over IPsec and out Site B WAN)
Pings to 192.168.223.6 fail (Sent out Site A WAN but replies are silently dropped)
No firewall log hits.
Async crypto is disabled on both sides.
If the IPsec tunnel is disabled on site B, pings instantly start flowing. Enable and reconnect it, they stop again.
Files
| Screen Shot 2018-10-06 at 6.44.33 PM.png (75.7 KB) Screen Shot 2018-10-06 at 6.44.33 PM.png | Site B States | ||
| Screen Shot 2018-10-06 at 6.43.07 PM.png (115 KB) Screen Shot 2018-10-06 at 6.43.07 PM.png | Site A States |
Updated by Chris Linstruth about 7 years ago
If the IPsec tunnel is disabled on site B, pings instantly start flowing. Enable and reconnect it, they stop again.
If the IPsec tunnel is disabled on site A, pings instantly start flowing. Enable and reconnect it, they stop again.
Sorry about that.
Updated by Jim Pingle about 7 years ago
- Status changed from New to Not a Bug
Not a bug. You can't policy route around IPsec in tunnel mode. The stack will drop replies because they didn't come via the secure path. They only left because pf forced them out.
At least I can't recall this working in the past, I do remember having a number of issues where lingering SPDs prevented alternate paths from working, though.
VTI or OpenVPN would be good alternate solutions here.