Actions
Bug #9022
closed
Policy Routing an Exception to an IPsec Tunnel Drops Reply Traffic
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
10/06/2018
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:
Description
Site A
Tunnel Local 172.25.234.0/24 Remote 192.168.223.0/24
Site B
Tunnel Local 192.168.223.0/24 Remote 172.25.234.0/24
192.168.223.0/24 is accessible by both firewalls out WAN. Both sites perform outbound NAT to reach it.
Place a policy routing rule on Site A LAN forcing ICMP to 192.168.223.6/32 out the WAN gateway.
Ping 192.168.223.1 and 192.168.223.6
Pings to 192.168.223.1 succeed (over IPsec and out Site B WAN)
Pings to 192.168.223.6 fail (Sent out Site A WAN but replies are silently dropped)
No firewall log hits.
Async crypto is disabled on both sides.
If the IPsec tunnel is disabled on site B, pings instantly start flowing. Enable and reconnect it, they stop again.
Files
| Screen Shot 2018-10-06 at 6.44.33 PM.png (75.7 KB) Screen Shot 2018-10-06 at 6.44.33 PM.png | Site B States | ||
| Screen Shot 2018-10-06 at 6.43.07 PM.png (115 KB) Screen Shot 2018-10-06 at 6.43.07 PM.png | Site A States |
Updated by 
Updated by 
Actions