Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-05-2010, 08:19 PM   #1
LQ Newbie
Registered: Jul 2008
Posts: 3

Rep: Reputation: 0
Packets go out one tunnel, come back another, then are dropped

Iíve run into a of a routing issue pertaining to packets leaving a firewall, traversing and IPSec tunnel, hitting the target and then returning via a different tunnel, finally arriving back on the source firewall but on a different interface from where it started. Once the packet has returned to the firewall it is droppedÖ Iíve been unable to discover the reason for the drop.

Two sides to the system, Firewall A and Firewall B. Each firewall provides the default gateway to its respective side and offers a backup IPSec tunnel to the high capacity tunnel handled internally. The Layer 3 Switch uses OSPF and takes care of the bulk of the behind the scenes routing between the sides. In case of failure the Layer 3 switches direct traffic to use the Firewall tunnels to route traffic.
Firewall A Hosts PPTPD services and ideally PPTP clients should be able to ping anywhere in the system. Currently PPTP clients can ping anything on Firewall Aís side and up to the Layer 3 Switch on Firewall B

Firewall A  ------------Ipsec Tunnel------------Firewall B
(					(
PPTPD 						        |
( Clients		                |
|							|
|							|
Layer 3 Switch ------------Fiber Tunnel---------Layer 3 Switch
(				         (
|							|
(					(
(					(
(					(
Any part of this diagram can ping any other part of the diagram, except the PPTP clients.

A packet from, (a pptp client somewhere in the world) attempting to reach (A server on Firewall Bís Side) will travel to Firewall B over the Ipsec Tunnel, down to the B sides Layer 3, into the various gadgets to reach the target. The reply packet returns to the Layer 3 Switch, where the reply takes the Fiber tunnel to A Side. The packet then appears on Eth0 of Firewall A and Ö disappears somewhere in either the IPTABLES, Strongswan, or routing rules of the firewall.

Iíve tried several things:
-Accepting any packet from anywhere and various other IPTABLES rules. Iím confident the packet isnít being dropped in the firewall rules.
-Forcing traffic from PPTP clients to use the layer 3 switches as the default gateways. I should note that this does work when I shutdown IPSEC. When IPSEC is turned back on something must happen in the routing tables that undercuts my specified route
-Iíve set rp_filter to 0
Any thoughts on further options?

Last edited by Atomicmongoose; 12-05-2010 at 08:22 PM.
Old 12-06-2010, 05:52 PM   #2
LQ Newbie
Registered: Oct 2003
Location: london
Distribution: Centos
Posts: 25

Rep: Reputation: 15
since the response comes back on the wrong interface the initial connection never gets it response and it will just timeout on the client rather then the firewall.

From what I understand of ipsec it operates on level 2 so your routing changes wont make a difference. (though im still learning about ipsec so I might be wrong)

Whats the ipsec tunnel for? I would much rather have no encryption overhead and try to make the layer 3 switches you have as redundant as possible.
Old 12-06-2010, 06:35 PM   #3
Senior Member
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
Given these two facts about IPSEC:

1) IPSEC can use either the real NIC in the computer or it can use a virtual NIC
2) IPSEC uses separate inbound channel and outbound channel to communicate with another host

is it possible that the inbound channel is bound to the physical NIC and the outbound channel is bound to a virtual NIC (or vice versa)


the physical NIC has different routing configuration than the virtual NIC?

Last edited by stress_junkie; 12-06-2010 at 06:36 PM.


iproute2, ipsec, pptpd

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
dropped packets on firewall morinpatmorin Linux - Networking 2 01-13-2010 08:14 AM
Dropped packets Doolspin Linux - Software 1 10-22-2006 01:22 PM
too much dropped packets...Hi.. alaios Linux - Networking 2 02-10-2005 04:49 AM
Dropped packets - is this a problem?? benr77 Linux - General 4 10-04-2004 02:05 PM
dropped packets... sohmc Linux - Software 3 05-29-2003 09:26 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:07 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration