For a month i have been dealing with a problem with VPN traffic not passing through the tunnels and i finally figured out the problem a couple of days ago.
It appears to be a bug in the nat settings. instead of using masquerade i wanted to use snat for more flexibility. that way i could 1:1 nat, or allow different subnets to use different IP's (i have 5 public ip's). With masquerade, i can only use the interface ip which doesn't give me the flexibility i want so i setup snat.
later i setup ipsec vpn tunnels and could not figure out why i couldn't get traffic to pass through them. i checked and rechecked the settings then i asked for help on this forum as you can see here:
Tunnels are up cannot ping FROM astaro side
I setup policy routes and did everything i could, but nothing worked.
FINALLY, i decided to disable SNAT and use masquerade and lo and behold...
SUCCESS!!!
It seems that NAT is processed before the internal routing to IPSEC vpn's therefore all traffic to other sites is simply NAT'ed out the public interface.
This makes it impossible for any node using SNAT to access any resource through a VPN tunnel.
I guess most people use masquerade so that's why it wasn't caught so soon. But I'm suprised that i didn't hear about it sooner, unless someone else already caught it and i'm just reposting. If that's the case please ignore this post.
Astaro, please tell me this behavior isn't by design and that you plan on fixing this bug? This won't affect many small networks but it should affect bigger ones.
This thread was automatically locked due to age.