I have a problem with my ASG 8.103.
I set up a SSL site-to-site connection and a policy route for routing traffic out of a certain LAN IP into the VPN tunnel.
As I'm on a german DSL line i have a daily disconnect and therefore a reconnect of the SSL VPN connection.
Afterwards the policy rule stops working.
I traced the problem down to a routing entry missing in a table
These are my rule tables (ASG default), where table 1 is used by the policy rule:
astaro:/ # ip rule
0: from all lookup local
1: from all fwmark 0x1000000 lookup 1
32765: from all fwmark 0x40000 lookup 252
32765: from 10.0.2.0/24 to 192.168.102.0/24 lookup ipsec
32765: from 10.0.1.0/24 to 192.168.102.0/24 lookup ipsec
32765: from 0.0.0.0 lookup ipsec
32766: from all lookup main
40000: from 77.191.48.230 lookup 200
65535: from all lookup default
Prior to the reconnect the rule table 1 shows (tun2 is the SSL VPN interface):
astaro:/ # ip route list table 1
default via 10.0.5.5 dev tun2 proto policy
Afterwards table 1 is empty, which causes traffic matched in the policy route getting routed over the default gateway instead through the tunnel.
My guess is that the route-up script of the OpenVPN client does not care about policy routes and therefore does not add this entry again.
Currently I use a every-minute cronjob to set this route if it's missing.
Please have a look at this and release a fix for the VPN route-up script in future versions of ASG.
Thanks and greetings,
Johannes
This thread was automatically locked due to age.