[8.160][BUG][FIXED] VPN Routing issue

In ASG 8.102 to 8.160 there is a routing issue.

If i have a local Network 10.103.131.224/28 and 10.103.131.242 should it have a better metric as the VPN SA 10.0.0.0/8 (normaly a smaler Netmask is better then large).

But it looks like the ASG routes a ping form 10.103.131.230 to 10.103.131.242 inside the VPN Tunnel. When i dissable the VPN everything is perfekt.

VPN Dissable:

Wall-e:/home/login # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.103.131.224  *               255.255.255.240 U     0      0        0 eth0.1310
10.103.131.240  *               255.255.255.240 U     0      0        0 eth0.1311
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.180.0   *               255.255.255.224 U     0      0        0 eth0.1
192.168.180.32  *               255.255.255.224 U     0      0        0 eth0.32
lo1.br12.asham. *               255.255.255.255 UH    0      0        0 ppp0

VPN enabled

Wall-e:/home/login # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *               255.0.0.0       U     0      0        0 ppp0
10.103.131.224  *               255.255.255.240 U     0      0        0 eth0.1310
10.103.131.240  *               255.255.255.240 U     0      0        0 eth0.1311
loopback        *               255.0.0.0       U     0      0        0 lo
172.30.0.0      *               255.255.0.0     U     0      0        0 ppp0
192.168.0.0     *               255.255.0.0     U     0      0        0 ppp0
192.168.180.0   *               255.255.255.224 U     0      0        0 eth0.1
192.168.180.32  *               255.255.255.224 U     0      0        0 eth0.32
lo1.br12.asham. *               255.255.255.255 UH    0      0        0 ppp0

VPN Configuration:

local Networks:
10.103.131.224/28
10.103.131.240/28

remote Networks:
10.0.0.0/8
192.168.0.0/16
172.30.0.0/16

This is necessary for us, because we have following konfiguration and no dynamic routing protocoll.:

Home Offices -> Branch Office -> HQ -> all other BOs

Parents

0 DarkLord541 over 14 years ago

ip xfrm policy

Wall-e:/home/login # ip xfrm policy
src 10.103.131.224/28 dst 192.168.0.0/16
dir out priority 2224 ptype main flag 2
tmpl src 85.183.X.X dst 83.236.X.X
proto esp reqid 16393 mode tunnel
src 10.103.131.224/28 dst 10.0.0.0/8
dir out priority 2232 ptype main flag 2
tmpl src 85.183.X.X dst 83.236.X.X
proto esp reqid 16385 mode tunnel
src 10.103.131.240/28 dst 172.30.0.0/16
dir out priority 2224 ptype main flag 2
tmpl src 85.183.X.X dst 83.236.X.X
proto esp reqid 16401 mode tunnel
src 10.103.131.224/28 dst 172.30.0.0/16
dir out priority 2224 ptype main flag 2
tmpl src 85.183.X.X dst 83.236.X.X
proto esp reqid 16389 mode tunnel
src 10.103.131.224/28 dst 192.168.10.0/24
dir out priority 2216 ptype main flag 2
tmpl src 85.183.X.X dst 87.145.X.X
proto esp reqid 16437 mode tunnel
src 10.103.131.240/28 dst 192.168.10.0/24
dir out priority 2216 ptype main flag 2
tmpl src 85.183.X.X dst 87.145.X.X
proto esp reqid 16445 mode tunnel
src 10.103.131.224/28 dst 192.168.11.0/24
dir out priority 2216 ptype main flag 2
tmpl src 85.183.X.X dst 87.145.X.X
proto esp reqid 16433 mode tunnel
src 10.103.131.240/28 dst 192.168.11.0/24
dir out priority 2216 ptype main flag 2
tmpl src 85.183.X.X dst 87.145.X.X
proto esp reqid 16441 mode tunnel
src 10.103.131.240/28 dst 10.0.0.0/8
dir out priority 2232 ptype main flag 2
tmpl src 85.183.X.X dst 83.236.X.X
proto esp reqid 16397 mode tunnel
src 10.103.131.240/28 dst 192.168.0.0/16
dir out priority 2224 ptype main flag 2
tmpl src 85.183.X.X dst 83.236.X.X
proto esp reqid 16405 mode tunnel
src 192.168.11.0/24 dst 10.103.131.224/28
dir fwd priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16433 mode tunnel
src 192.168.11.0/24 dst 10.103.131.224/28
dir in priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16433 mode tunnel
src 192.168.10.0/24 dst 10.103.131.224/28
dir fwd priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16437 mode tunnel
src 192.168.10.0/24 dst 10.103.131.224/28
dir in priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16437 mode tunnel
src 192.168.11.0/24 dst 10.103.131.240/28
dir fwd priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16441 mode tunnel
src 192.168.11.0/24 dst 10.103.131.240/28
dir in priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16441 mode tunnel
src 192.168.10.0/24 dst 10.103.131.240/28
dir fwd priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16445 mode tunnel
src 192.168.10.0/24 dst 10.103.131.240/28
dir in priority 2216 ptype main flag 2
tmpl src 87.145.X.X dst 85.183.X.X
proto esp reqid 16445 mode tunnel
src 10.0.0.0/8 dst 10.103.131.224/28
dir fwd priority 2232 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16385 mode tunnel
src 10.0.0.0/8 dst 10.103.131.224/28
dir in priority 2232 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16385 mode tunnel
src 172.30.0.0/16 dst 10.103.131.224/28
dir fwd priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16389 mode tunnel
src 172.30.0.0/16 dst 10.103.131.224/28
dir in priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16389 mode tunnel
src 192.168.0.0/16 dst 10.103.131.224/28
dir fwd priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16393 mode tunnel
src 192.168.0.0/16 dst 10.103.131.224/28
dir in priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16393 mode tunnel
src 10.0.0.0/8 dst 10.103.131.240/28
dir fwd priority 2232 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16397 mode tunnel
src 10.0.0.0/8 dst 10.103.131.240/28
dir in priority 2232 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16397 mode tunnel
src 172.30.0.0/16 dst 10.103.131.240/28
dir fwd priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16401 mode tunnel
src 172.30.0.0/16 dst 10.103.131.240/28
dir in priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16401 mode tunnel
src 192.168.0.0/16 dst 10.103.131.240/28
dir fwd priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16405 mode tunnel
src 192.168.0.0/16 dst 10.103.131.240/28
dir in priority 2224 ptype main flag 2
tmpl src 83.236.X.X dst 85.183.X.X
proto esp reqid 16405 mode tunnel
src 10.103.131.240/28 dst 10.103.131.240/28
dir out priority 2212 ptype main flag 2
src 10.103.131.240/28 dst 10.103.131.240/28
dir fwd priority 2212 ptype main flag 2
src 10.103.131.240/28 dst 10.103.131.240/28
dir in priority 2212 ptype main flag 2
src 10.103.131.224/28 dst 10.103.131.224/28
dir out priority 2212 ptype main flag 2
src 10.103.131.224/28 dst 10.103.131.224/28
dir fwd priority 2212 ptype main flag 2
src 10.103.131.224/28 dst 10.103.131.224/28
dir in priority 2212 ptype main flag 2
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 d12fk over 14 years ago in reply to DarkLord541

As expected the bypass policies from 10.103.131.224/28 to 10.103.131.240/28 and vice versa are missing. Sending ping within the subnets should work.

Thanks for the report, this will be fixed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 d12fk over 14 years ago in reply to DarkLord541

As expected the bypass policies from 10.103.131.224/28 to 10.103.131.240/28 and vice versa are missing. Sending ping within the subnets should work.

Thanks for the report, this will be fixed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data