Iíve run into a of a routing issue pertaining to packets leaving a firewall, traversing and IPSec tunnel, hitting the target and then returning via a different tunnel, finally arriving back on the source firewall but on a different interface from where it started. Once the packet has returned to the firewall it is droppedÖ Iíve been unable to discover the reason for the drop.
Two sides to the system, Firewall A and Firewall B. Each firewall provides the default gateway to its respective side and offers a backup IPSec tunnel to the high capacity tunnel handled internally. The Layer 3 Switch uses OSPF and takes care of the bulk of the behind the scenes routing between the sides. In case of failure the Layer 3 switches direct traffic to use the Firewall tunnels to route traffic.
Firewall A Hosts PPTPD services and ideally PPTP clients should be able to ping anywhere in the system. Currently PPTP clients can ping anything on Firewall Aís side and up to the Layer 3 Switch on Firewall B
Firewall A ------------Ipsec Tunnel------------Firewall B
(10.1.1.100-200)---PPTP Clients |
Layer 3 Switch ------------Fiber Tunnel---------Layer 3 Switch
Any part of this diagram can ping any other part of the diagram, except the PPTP clients.
A packet from 10.1.1.100, (a pptp client somewhere in the world) attempting to reach 10.2.5.1 (A server on Firewall Bís Side) will travel to Firewall B over the Ipsec Tunnel, down to the B sides Layer 3, into the various gadgets to reach the target. The reply packet returns to the Layer 3 Switch, where the reply takes the Fiber tunnel to A Side. The packet then appears on Eth0 of Firewall A and Ö disappears somewhere in either the IPTABLES, Strongswan, or routing rules of the firewall.
Iíve tried several things:
-Accepting any packet from anywhere and various other IPTABLES rules. Iím confident the packet isnít being dropped in the firewall rules.
-Forcing traffic from PPTP clients to use the layer 3 switches as the default gateways. I should note that this does work when I shutdown IPSEC. When IPSEC is turned back on something must happen in the routing tables that undercuts my specified route
-Iíve set rp_filter to 0
Any thoughts on further options?