Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There's a Site-2-Site IPSec VPN tunnel setup between the two Astaros; I can ping each ASG's internal interface from any host on the other side of the tunnel, no problem. However, I can't seem to route packets to any hosts behind each of the Astaros from either network.
For example, if I'm on a machine (10.0.1.100) behind ASG-1, I can't route any packets to a 10.1.1.0/24 machine such as 10.1.1.200. I've tried adding static gateway routes in either ASG, but when tracerouting, it appears to be sending it out to the default gateway (External Interface to ISP), not the tunnel interface.
Any ideas? The routing table looks ok to me (it's routing 10.1.1.0/24 to dev/ipsec0). Regardless of tunnels, how should this work? Is the Astaro confused by the wrong subnet masks? I don't think it's a packet filtering rule because the target Astaro isn't even seeing the packets.
It might be that the rules for NAT are getting in the way. These rules are invoked BEFORE any filtering rules, and so your packets might be getting their destination addresses clobbered (sorry, translated), and thus being routed the wrong way. This would be consistent with your observation that you can reach the interface address on the appliances, but not anything further away.
I am guessing here, since I have not looked at the Astaro appliance in any detail, but if it is using iptables to do NAT, you could put a rule into the NAT table just before the one that does DNAT translation with the same match criteria, but rather than -j DNAT, -j LOG. This will put a message into the syslog message file for each packet that is about to be translated, so you could attempt to reach your 10.1.1.200 machine, and then examine the logfile to see if some or all of the packets are getting mangled.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.