Hello,

I have two Astaro Security Gateway appliances setup:

ASG-1: Internal Interface 10.0.1.5 (10.0.1.0/24), External Interface 24.23.22.21

ASG-2: Internal Interface 10.1.1.5 (10.1.1.0/24), External Interface 66.55.44.33

There's a Site-2-Site IPSec VPN tunnel setup between the two Astaros; I can ping each ASG's internal interface from any host on the other side of the tunnel, no problem. However, I can't seem to route packets to any hosts behind each of the Astaros from either network.
For example, if I'm on a machine (10.0.1.100) behind ASG-1, I can't route any packets to a 10.1.1.0/24 machine such as 10.1.1.200. I've tried adding static gateway routes in either ASG, but when tracerouting, it appears to be sending it out to the default gateway (External Interface to ISP), not the tunnel interface.

Any ideas? The routing table looks ok to me (it's routing 10.1.1.0/24 to dev/ipsec0). Regardless of tunnels, how should this work? Is the Astaro confused by the wrong subnet masks? I don't think it's a packet filtering rule because the target Astaro isn't even seeing the packets.

Bit of a noob here; any help appreciated.

Thanks

It might be that the rules for NAT are getting in the way. These rules are invoked BEFORE any filtering rules, and so your packets might be getting their destination addresses clobbered (sorry, translated), and thus being routed the wrong way. This would be consistent with your observation that you can reach the interface address on the appliances, but not anything further away.

I am guessing here, since I have not looked at the Astaro appliance in any detail, but if it is using iptables to do NAT, you could put a rule into the NAT table just before the one that does DNAT translation with the same match criteria, but rather than -j DNAT, -j LOG. This will put a message into the syslog message file for each packet that is about to be translated, so you could attempt to reach your 10.1.1.200 machine, and then examine the logfile to see if some or all of the packets are getting mangled.