LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-05-2010, 08:19 PM   #1
Atomicmongoose
LQ Newbie
 
Registered: Jul 2008
Posts: 3

Rep: Reputation: 0
Packets go out one tunnel, come back another, then are dropped


Iíve run into a of a routing issue pertaining to packets leaving a firewall, traversing and IPSec tunnel, hitting the target and then returning via a different tunnel, finally arriving back on the source firewall but on a different interface from where it started. Once the packet has returned to the firewall it is droppedÖ Iíve been unable to discover the reason for the drop.

Two sides to the system, Firewall A and Firewall B. Each firewall provides the default gateway to its respective side and offers a backup IPSec tunnel to the high capacity tunnel handled internally. The Layer 3 Switch uses OSPF and takes care of the bulk of the behind the scenes routing between the sides. In case of failure the Layer 3 switches direct traffic to use the Firewall tunnels to route traffic.
Firewall A Hosts PPTPD services and ideally PPTP clients should be able to ping anywhere in the system. Currently PPTP clients can ping anything on Firewall Aís side and up to the Layer 3 Switch on Firewall B
Code:
Diagram:

Firewall A  ------------Ipsec Tunnel------------Firewall B
(10.1.1.1/24)					(10.2.2.1/24)
PPTPD 						        |
(10.1.1.100-200)---PPTP Clients		                |
|							|
|							|
Layer 3 Switch ------------Fiber Tunnel---------Layer 3 Switch
(10.1.1.2)				         (10.2.2.2)
|							|
(10.1.2.0/24)					(10.2.3.0/24)
(10.1.3.0/24)					(10.2.4.0/24)
(10.1.4.0/24)					(10.2.5.0/24)
Any part of this diagram can ping any other part of the diagram, except the PPTP clients.

A packet from 10.1.1.100, (a pptp client somewhere in the world) attempting to reach 10.2.5.1 (A server on Firewall Bís Side) will travel to Firewall B over the Ipsec Tunnel, down to the B sides Layer 3, into the various gadgets to reach the target. The reply packet returns to the Layer 3 Switch, where the reply takes the Fiber tunnel to A Side. The packet then appears on Eth0 of Firewall A and Ö disappears somewhere in either the IPTABLES, Strongswan, or routing rules of the firewall.

Iíve tried several things:
-Accepting any packet from anywhere and various other IPTABLES rules. Iím confident the packet isnít being dropped in the firewall rules.
-Forcing traffic from PPTP clients to use the layer 3 switches as the default gateways. I should note that this does work when I shutdown IPSEC. When IPSEC is turned back on something must happen in the routing tables that undercuts my specified route
-Iíve set rp_filter to 0
Any thoughts on further options?

Last edited by Atomicmongoose; 12-05-2010 at 08:22 PM.
 
Old 12-06-2010, 05:52 PM   #2
4play
LQ Newbie
 
Registered: Oct 2003
Location: london
Distribution: Centos
Posts: 25

Rep: Reputation: 15
since the response comes back on the wrong interface the initial connection never gets it response and it will just timeout on the client rather then the firewall.

From what I understand of ipsec it operates on level 2 so your routing changes wont make a difference. (though im still learning about ipsec so I might be wrong)

Whats the ipsec tunnel for? I would much rather have no encryption overhead and try to make the layer 3 switches you have as redundant as possible.
 
Old 12-06-2010, 06:35 PM   #3
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Given these two facts about IPSEC:

1) IPSEC can use either the real NIC in the computer or it can use a virtual NIC
2) IPSEC uses separate inbound channel and outbound channel to communicate with another host

is it possible that the inbound channel is bound to the physical NIC and the outbound channel is bound to a virtual NIC (or vice versa)

and

the physical NIC has different routing configuration than the virtual NIC?

Last edited by stress_junkie; 12-06-2010 at 06:36 PM.
 
  


Reply

Tags
iproute2, ipsec, pptpd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dropped packets on firewall morinpatmorin Linux - Networking 2 01-13-2010 08:14 AM
Dropped packets Doolspin Linux - Software 1 10-22-2006 01:22 PM
too much dropped packets...Hi.. alaios Linux - Networking 2 02-10-2005 04:49 AM
Dropped packets - is this a problem?? benr77 Linux - General 4 10-04-2004 02:05 PM
dropped packets... sohmc Linux - Software 3 05-29-2003 09:26 AM


All times are GMT -5. The time now is 08:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration