[8.160][BUG][FIXED] VPN Routing issue

In ASG 8.102 to 8.160 there is a routing issue.

If i have a local Network 10.103.131.224/28 and 10.103.131.242 should it have a better metric as the VPN SA 10.0.0.0/8 (normaly a smaler Netmask is better then large).

But it looks like the ASG routes a ping form 10.103.131.230 to 10.103.131.242 inside the VPN Tunnel. When i dissable the VPN everything is perfekt.

VPN Dissable:

Wall-e:/home/login # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.103.131.224  *               255.255.255.240 U     0      0        0 eth0.1310
10.103.131.240  *               255.255.255.240 U     0      0        0 eth0.1311
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.180.0   *               255.255.255.224 U     0      0        0 eth0.1
192.168.180.32  *               255.255.255.224 U     0      0        0 eth0.32
lo1.br12.asham. *               255.255.255.255 UH    0      0        0 ppp0

VPN enabled

Wall-e:/home/login # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.0.0.0       U     0      0        0 ppp0
10.103.131.224  *               255.255.255.240 U     0      0        0 eth0.1310
10.103.131.240  *               255.255.255.240 U     0      0        0 eth0.1311
loopback        *               255.0.0.0       U     0      0        0 lo
172.30.0.0      *               255.255.0.0     U     0      0        0 ppp0
192.168.0.0     *               255.255.0.0     U     0      0        0 ppp0
192.168.180.0   *               255.255.255.224 U     0      0        0 eth0.1
192.168.180.32  *               255.255.255.224 U     0      0        0 eth0.32
lo1.br12.asham. *               255.255.255.255 UH    0      0        0 ppp0

VPN Configuration:

local Networks:
10.103.131.224/28
10.103.131.240/28

remote Networks:
10.0.0.0/8
192.168.0.0/16
172.30.0.0/16

This is necessary for us, because we have following konfiguration and no dynamic routing protocoll.:

Home Offices -> Branch Office -> HQ -> all other BOs

Parents

0 DarkLord541 over 14 years ago

ipsec status

Wall-e:/home/login # ipsec status
000 "S_REF_IpsSitBogshambur_0": 10.103.131.224/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===10.0.0.0/8; erouted; eroute owner: #979
000 "S_REF_IpsSitBogshambur_0":   newest ISAKMP SA: #807; newest IPsec SA: #979;
000 "S_REF_IpsSitBogshambur_1": 10.103.131.224/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===172.30.0.0/16; erouted; eroute owner: #977
000 "S_REF_IpsSitBogshambur_1":   newest ISAKMP SA: #0; newest IPsec SA: #977;
000 "S_REF_IpsSitBogshambur_2": 10.103.131.224/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===192.168.0.0/16; erouted; eroute owner: #980
000 "S_REF_IpsSitBogshambur_2":   newest ISAKMP SA: #0; newest IPsec SA: #980;
000 "S_REF_IpsSitBogshambur_3": 10.103.131.240/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===10.0.0.0/8; erouted; eroute owner: #821
000 "S_REF_IpsSitBogshambur_3":   newest ISAKMP SA: #0; newest IPsec SA: #821;
000 "S_REF_IpsSitBogshambur_4": 10.103.131.240/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===172.30.0.0/16; erouted; eroute owner: #978
000 "S_REF_IpsSitBogshambur_4":   newest ISAKMP SA: #0; newest IPsec SA: #978;
000 "S_REF_IpsSitBogshambur_5": 10.103.131.240/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===192.168.0.0/16; erouted; eroute owner: #810
000 "S_REF_IpsSitBogshambur_5":   newest ISAKMP SA: #0; newest IPsec SA: #810;
000 "S_REF_IpsSitToflorianh_0": 10.103.131.224/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.11.0/24; erouted; eroute owner: #938
000 "S_REF_IpsSitToflorianh_0":   newest ISAKMP SA: #872; newest IPsec SA: #938;
000 "S_REF_IpsSitToflorianh_1": 10.103.131.224/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.10.0/24; erouted; eroute owner: #960
000 "S_REF_IpsSitToflorianh_1":   newest ISAKMP SA: #0; newest IPsec SA: #960;
000 "S_REF_IpsSitToflorianh_2": 10.103.131.240/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.11.0/24; erouted; eroute owner: #921
000 "S_REF_IpsSitToflorianh_2":   newest ISAKMP SA: #0; newest IPsec SA: #921;
000 "S_REF_IpsSitToflorianh_3": 10.103.131.240/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.10.0/24; erouted; eroute owner: #941
000 "S_REF_IpsSitToflorianh_3":   newest ISAKMP SA: #0; newest IPsec SA: #941;
000 "X_REF_IpsSitBogshambur_0": 10.103.131.224/28===85.183.X.X[85.183.X.X]...255.255.255.255[255.255.255.255]===10.103.131.224/28; prospective erouted; eroute owner: #0
000 "X_REF_IpsSitBogshambur_0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "X_REF_IpsSitBogshambur_3": 10.103.131.240/28===85.183.X.X[85.183.X.X]...255.255.255.255[255.255.255.255]===10.103.131.240/28; prospective erouted; eroute owner: #0
000 "X_REF_IpsSitBogshambur_3":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #979: "S_REF_IpsSitBogshambur_0" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27968s; newest IPSEC; eroute owner
000 #979: "S_REF_IpsSitBogshambur_0" esp.d22de12a@83.236.X.X (0 bytes) esp.386d2c59@85.183.X.X (0 bytes); tunnel
000 #807: "S_REF_IpsSitBogshambur_0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 23274s; newest ISAKMP
000 #977: "S_REF_IpsSitBogshambur_1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27709s; newest IPSEC; eroute owner
000 #977: "S_REF_IpsSitBogshambur_1" esp.25a5a46b@83.236.X.X (0 bytes) esp.3afe5a2c@85.183.X.X (0 bytes); tunnel
000 #980: "S_REF_IpsSitBogshambur_2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27862s; newest IPSEC; eroute owner
000 #980: "S_REF_IpsSitBogshambur_2" esp.f82b18c7@83.236.X.X (0 bytes) esp.13136f59@85.183.X.X (0 bytes); tunnel
000 #821: "S_REF_IpsSitBogshambur_3" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23598s; newest IPSEC; eroute owner
000 #821: "S_REF_IpsSitBogshambur_3" esp.2972216c@83.236.X.X (179285 bytes, 36s ago) esp.42be8c6a@85.183.X.X (181018 bytes, 36s ago); tunnel
000 #978: "S_REF_IpsSitBogshambur_4" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27904s; newest IPSEC; eroute owner
000 #978: "S_REF_IpsSitBogshambur_4" esp.821e9268@83.236.X.X (0 bytes) esp.185494af@85.183.X.X (0 bytes); tunnel
000 #810: "S_REF_IpsSitBogshambur_5" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23161s; newest IPSEC; eroute owner
000 #810: "S_REF_IpsSitBogshambur_5" esp.77678097@83.236.X.X (152636 bytes, 1s ago) esp.d0a6e1c4@85.183.X.X (0 bytes); tunnel
000 #938: "S_REF_IpsSitToflorianh_0" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1528s; newest IPSEC; eroute owner
000 #938: "S_REF_IpsSitToflorianh_0" esp.d1076b7e@87.145.X.X (0 bytes) esp.12dd2e51@85.183.X.X (0 bytes); tunnel
000 #872: "S_REF_IpsSitToflorianh_0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3632s; newest ISAKMP
000 #960: "S_REF_IpsSitToflorianh_1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1886s; newest IPSEC; eroute owner
000 #960: "S_REF_IpsSitToflorianh_1" esp.d9dec7c@87.145.X.X (0 bytes) esp.4fa2976@85.183.X.X (0 bytes); tunnel
000 #921: "S_REF_IpsSitToflorianh_2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 906s; newest IPSEC; eroute owner
000 #921: "S_REF_IpsSitToflorianh_2" esp.bddc6377@87.145.X.X (0 bytes) esp.6d03b768@85.183.X.X (0 bytes); tunnel
000 #982: "S_REF_IpsSitToflorianh_3" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 5s
000 #981: "S_REF_IpsSitToflorianh_3" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 2s
000 #941: "S_REF_IpsSitToflorianh_3" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1435s; newest IPSEC; eroute owner
000 #941: "S_REF_IpsSitToflorianh_3" esp.6ae7f4d0@87.145.X.X (20880 bytes, 48s ago) esp.90821aaf@85.183.X.X (21025 bytes, 47s ago); tunnel
000
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 DarkLord541 over 14 years ago

ipsec status

Wall-e:/home/login # ipsec status
000 "S_REF_IpsSitBogshambur_0": 10.103.131.224/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===10.0.0.0/8; erouted; eroute owner: #979
000 "S_REF_IpsSitBogshambur_0":   newest ISAKMP SA: #807; newest IPsec SA: #979;
000 "S_REF_IpsSitBogshambur_1": 10.103.131.224/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===172.30.0.0/16; erouted; eroute owner: #977
000 "S_REF_IpsSitBogshambur_1":   newest ISAKMP SA: #0; newest IPsec SA: #977;
000 "S_REF_IpsSitBogshambur_2": 10.103.131.224/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===192.168.0.0/16; erouted; eroute owner: #980
000 "S_REF_IpsSitBogshambur_2":   newest ISAKMP SA: #0; newest IPsec SA: #980;
000 "S_REF_IpsSitBogshambur_3": 10.103.131.240/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===10.0.0.0/8; erouted; eroute owner: #821
000 "S_REF_IpsSitBogshambur_3":   newest ISAKMP SA: #0; newest IPsec SA: #821;
000 "S_REF_IpsSitBogshambur_4": 10.103.131.240/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===172.30.0.0/16; erouted; eroute owner: #978
000 "S_REF_IpsSitBogshambur_4":   newest ISAKMP SA: #0; newest IPsec SA: #978;
000 "S_REF_IpsSitBogshambur_5": 10.103.131.240/28===85.183.X.X[85.183.X.X]...83.236.X.X[83.236.X.X]===192.168.0.0/16; erouted; eroute owner: #810
000 "S_REF_IpsSitBogshambur_5":   newest ISAKMP SA: #0; newest IPsec SA: #810;
000 "S_REF_IpsSitToflorianh_0": 10.103.131.224/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.11.0/24; erouted; eroute owner: #938
000 "S_REF_IpsSitToflorianh_0":   newest ISAKMP SA: #872; newest IPsec SA: #938;
000 "S_REF_IpsSitToflorianh_1": 10.103.131.224/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.10.0/24; erouted; eroute owner: #960
000 "S_REF_IpsSitToflorianh_1":   newest ISAKMP SA: #0; newest IPsec SA: #960;
000 "S_REF_IpsSitToflorianh_2": 10.103.131.240/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.11.0/24; erouted; eroute owner: #921
000 "S_REF_IpsSitToflorianh_2":   newest ISAKMP SA: #0; newest IPsec SA: #921;
000 "S_REF_IpsSitToflorianh_3": 10.103.131.240/28===85.183.X.X:4500[85.183.X.X]...87.145.X.X:4500[192.168.9.98]===192.168.10.0/24; erouted; eroute owner: #941
000 "S_REF_IpsSitToflorianh_3":   newest ISAKMP SA: #0; newest IPsec SA: #941;
000 "X_REF_IpsSitBogshambur_0": 10.103.131.224/28===85.183.X.X[85.183.X.X]...255.255.255.255[255.255.255.255]===10.103.131.224/28; prospective erouted; eroute owner: #0
000 "X_REF_IpsSitBogshambur_0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "X_REF_IpsSitBogshambur_3": 10.103.131.240/28===85.183.X.X[85.183.X.X]...255.255.255.255[255.255.255.255]===10.103.131.240/28; prospective erouted; eroute owner: #0
000 "X_REF_IpsSitBogshambur_3":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #979: "S_REF_IpsSitBogshambur_0" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27968s; newest IPSEC; eroute owner
000 #979: "S_REF_IpsSitBogshambur_0" esp.d22de12a@83.236.X.X (0 bytes) esp.386d2c59@85.183.X.X (0 bytes); tunnel
000 #807: "S_REF_IpsSitBogshambur_0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 23274s; newest ISAKMP
000 #977: "S_REF_IpsSitBogshambur_1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27709s; newest IPSEC; eroute owner
000 #977: "S_REF_IpsSitBogshambur_1" esp.25a5a46b@83.236.X.X (0 bytes) esp.3afe5a2c@85.183.X.X (0 bytes); tunnel
000 #980: "S_REF_IpsSitBogshambur_2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27862s; newest IPSEC; eroute owner
000 #980: "S_REF_IpsSitBogshambur_2" esp.f82b18c7@83.236.X.X (0 bytes) esp.13136f59@85.183.X.X (0 bytes); tunnel
000 #821: "S_REF_IpsSitBogshambur_3" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23598s; newest IPSEC; eroute owner
000 #821: "S_REF_IpsSitBogshambur_3" esp.2972216c@83.236.X.X (179285 bytes, 36s ago) esp.42be8c6a@85.183.X.X (181018 bytes, 36s ago); tunnel
000 #978: "S_REF_IpsSitBogshambur_4" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27904s; newest IPSEC; eroute owner
000 #978: "S_REF_IpsSitBogshambur_4" esp.821e9268@83.236.X.X (0 bytes) esp.185494af@85.183.X.X (0 bytes); tunnel
000 #810: "S_REF_IpsSitBogshambur_5" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23161s; newest IPSEC; eroute owner
000 #810: "S_REF_IpsSitBogshambur_5" esp.77678097@83.236.X.X (152636 bytes, 1s ago) esp.d0a6e1c4@85.183.X.X (0 bytes); tunnel
000 #938: "S_REF_IpsSitToflorianh_0" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1528s; newest IPSEC; eroute owner
000 #938: "S_REF_IpsSitToflorianh_0" esp.d1076b7e@87.145.X.X (0 bytes) esp.12dd2e51@85.183.X.X (0 bytes); tunnel
000 #872: "S_REF_IpsSitToflorianh_0" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3632s; newest ISAKMP
000 #960: "S_REF_IpsSitToflorianh_1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1886s; newest IPSEC; eroute owner
000 #960: "S_REF_IpsSitToflorianh_1" esp.d9dec7c@87.145.X.X (0 bytes) esp.4fa2976@85.183.X.X (0 bytes); tunnel
000 #921: "S_REF_IpsSitToflorianh_2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 906s; newest IPSEC; eroute owner
000 #921: "S_REF_IpsSitToflorianh_2" esp.bddc6377@87.145.X.X (0 bytes) esp.6d03b768@85.183.X.X (0 bytes); tunnel
000 #982: "S_REF_IpsSitToflorianh_3" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 5s
000 #981: "S_REF_IpsSitToflorianh_3" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 2s
000 #941: "S_REF_IpsSitToflorianh_3" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1435s; newest IPSEC; eroute owner
000 #941: "S_REF_IpsSitToflorianh_3" esp.6ae7f4d0@87.145.X.X (20880 bytes, 48s ago) esp.90821aaf@85.183.X.X (21025 bytes, 47s ago); tunnel
000
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data