freebsd stable - Nov 2014 - Problem with IPSec tunnel and normal routing

We have a problem with a NanoBSD GW/Router that seems to get it's 
forwarding screwed up by an IPSec tunnel.

   +----+                                       +-------+
   |    |         +----+                        |       |    +-- A
2 -+    |         |    |                        |       |    |
3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B
4 -+    |         |    |                        | endp  |    |
   |    |         +----+                        |       |    +-- C
   +----+                                       +-------+

Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches.
Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches
Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch

DMZ   - em5 - XXX.XXX.XXX.128/27  - DMZ and transfer net to outside.
IPSec endp  - YYY.YYY.YYY.2

Net A - 192.168.45.129/32
Net B - 192.168.45.130/32
Net C - 192.168.40.8/29

Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C.

GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE #0 
r274192
IKEv1 etc. is handled by strongswan-5.2.0_1
Left IPSec endpoint is a Clavister VPN GW.

After a host on Net 3 has connected through the tunnel to 192.168.45.129 
via a NATed VMWare Fusion connection, traffic from that host is received 
correctly at the GW on Net 3  (em1) but the response from the GW is sent 
out via the DMZ interface em5.
Switching the host to Net 4 i.e. disconnecting the network cable and 
starting the WiFi restores connectivity.

Other hosts on Net 3 that has not communicated via the IPSec tunnel is NOT 
affected.

All routing seems to be correct on the GW so some other mechanism must be 
at play.

Any help appreciated.

BR,
	Goran

Hi.


On Tue, Nov 18, 2014 at 10:52:50AM +0100, G?ran L?wkrantz
wrote:
> We have a problem with a NanoBSD GW/Router that seems to get it's
> forwarding screwed up by an IPSec tunnel.
> 
>   +----+                                       +-------+
>   |    |         +----+                        |       |    +-- A
> 2 -+    |         |    |                        |       |    |
> 3 -+ GW +-- DMZ --+ FW +--- Internet ---???? ---+ IPSec +----+-- B
> 4 -+    |         |    |                        | endp  |    |
>   |    |         +----+                        |       |    +-- C
>   +----+                                       +-------+
> 
> Net 2 - em2 - 192.168.2.0/24 - servers, server-net switches.
> Net 3 - em1 - 192.168.3.0/24 - workstations, ws-net switches
> Net 4 - em0 - 192.168.4.0/24 - WiFi access points + VLAN switch
> 
> DMZ   - em5 - XXX.XXX.XXX.128/27  - DMZ and transfer net to outside.
> IPSec endp  - YYY.YYY.YYY.2
> 
> Net A - 192.168.45.129/32
> Net B - 192.168.45.130/32
> Net C - 192.168.40.8/29
> 
> Net 2 and Net 3 are setup to allow tunnel to Nets A,B and C.
> 
> GW is FreeBSD gw01.xxxx.com 10.1-PRERELEASE FreeBSD 10.1-PRERELEASE
> #0 r274192
> IKEv1 etc. is handled by strongswan-5.2.0_1
> Left IPSec endpoint is a Clavister VPN GW.
> 
> After a host on Net 3 has connected through the tunnel to
> 192.168.45.129 via a NATed VMWare Fusion connection, traffic from
> that host is received correctly at the GW on Net 3  (em1) but the
> response from the GW is sent out via the DMZ interface em5.
> Switching the host to Net 4 i.e. disconnecting the network cable and
> starting the WiFi restores connectivity.
> 
> Other hosts on Net 3 that has not communicated via the IPSec tunnel
> is NOT affected.
> 
> All routing seems to be correct on the GW so some other mechanism
> must be at play.
> 
> Any help appreciated.
Could you please send us at least a dump of your SPD and routing
configuration ?


Yvan.