Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 4932 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing problem Site to Site SSL

gerardo josic rodriguez paredes

Hello,

I'm having problems with a Site to Site SSL tunnel, my scenario is as follows:


I have a connection between 2 UTM with SSL, in this tunnel I send all the traffic from UTM B to UTM A, that is, in local UTM networks to add "Any IPv4" and "Any IPv6". and in remote networks is the LAN segment of UTM B. I also have another IPSEC VPN from UTM B to UTM C in which I share some segments.

This works perfectly, the UTM B network has the public ip of UTM A since it sends all the traffic towards UTM A and likewise maintains the connection with UTM C. The problem is that at any moment UTM B stops sending the traffic towards UTM A, to solve this I have to restart the SSL tunnel manually.

I checked the routing tables and I came up with this surprise:

routing table when UTM B stops sending the traffic to UTM A:

 

default via xxx.xxx.138.65 dev eth1 table 200 proto kernel onlink
default via xxx.xxx.138.65 dev eth1 table 220 proto kernel onlink
default via xxx.xxx.138.65 dev eth1 table default proto kernel metric 20
10.0.1.0/24 dev eth1 proto ipsec scope link src 10.0.90.1
10.0.45.0/24 dev eth1 proto ipsec scope link src 10.0.90.1
10.0.90.0/24 dev eth0 proto kernel scope link src 10.0.90.1
10.242.2.0/24 dev tun0 proto kernel scope link src 10.242.2.15
108.xxx.10.49 via 190.187.138.65 dev eth1
127.0.0.0/8 dev the scope link
xxx.xxx.138.64 / 30 dev eth1 proto kernel scope link src xxx.xxx.138.66
192.168.1.0/24 dev eth1 proto ipsec scope link src 10.0.90.1
broadcast 10.0.90.0 dev eth0 local table proto kernel scope link src 10.0.90.1
local 10.0.90.1 dev eth0 local table proto kernel scope host src 10.0.90.1
broadcast 10.0.90.255 dev eth0 local table proto kernel scope link src 10.0.90.1
broadcast 10.242.2.0 dev tun0 local table proto kernel scope link src 10.242.2.15
local 10.242.2.15 dev tun0 local table proto kernel scope host src 10.242.2.15
broadcast 10.242.2.255 dev tun0 local table proto kernel scope link src 10.242.2.15
broadcast 127.0.0.0 dev local table proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev local table proto kernel scope host 127.0.0.1
local 127.0.0.1 dev local table proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev local table proto kernel scope link src 127.0.0.1
broadcast xxx.xxx.138.64 dev eth1 local table proto kernel scope link src xxx.xxx.138.66
local xxx.xxx.138.66 dev eth1 local table proto kernel scope host src 190.187.138.66
broadcast xxx.xxx.138.67 dev eth1 local table proto kernel scope link src xxx.xxx.138.66
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
local :: 1 dev local table proto unspec metric 0
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101

xxx.xxx.138.65 = ip public of UTM B
108.xxx.10.49 = public ip of UTM A
10.0.1.0/24, 10.0.45.0/24 = UTM C LAN network
10.0.90.0/24 = UTM B network lan


Routing table when everything works correctly:

default via xxx.xxx.138.65 dev eth1 table 200 proto kernel onlink
default via xxx.xxx.138.65 dev eth1 table 220 proto kernel onlink
default via 10.242.2.1 dev tun0 table default
10.0.1.0/24 dev eth1 proto ipsec scope link src 10.0.90.1
10.0.45.0/24 dev eth1 proto ipsec scope link src 10.0.90.1
10.0.90.0/24 dev eth0 proto kernel scope link src 10.0.90.1
10.242.2.0/24 dev tun0 proto kernel scope link src 10.242.2.15
108.xxx.10.49 via xxx.xxx.138.65 dev eth1
127.0.0.0/8 dev the scope link
xxx.xxx.138.64 / 30 dev eth1 proto kernel scope link src xxx.xxx.138.66
192.168.1.0/24 dev eth1 proto ipsec scope link src 10.0.90.1
broadcast 10.0.90.0 dev eth0 local table proto kernel scope link src 10.0.90.1
local 10.0.90.1 dev eth0 local table proto kernel scope host src 10.0.90.1
broadcast 10.0.90.255 dev eth0 local table proto kernel scope link src 10.0.90.1
broadcast 10.242.2.0 dev tun0 local table proto kernel scope link src 10.242.2.15
local 10.242.2.15 dev tun0 local table proto kernel scope host src 10.242.2.15
broadcast 10.242.2.255 dev tun0 local table proto kernel scope link src 10.242.2.15
broadcast 127.0.0.0 dev local table proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev local table proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev local table proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev local table proto kernel scope link src 127.0.0.1
broadcast xxx.xxx.138.64 dev eth1 local table proto kernel scope link src xxx.xxx.138.66
local xxx.xxxx.138.66 dev eth1 local table proto kernel scope host src xxx.xxx.138.66
broadcast xxx.xxx.138.67 dev eth1 local table proto kernel scope link src xxx.xxx.138.66
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101

 

According to the comparison of these routing tables the problem would be that for some reason in UTM B the following route is eliminated:
default via 10.242.2.1 dev tun0 table default

An important fact is that the SSL tunnel remains established in both UTM A and UTM B:

UTM A:

UTM B:

 

I was doing some tests and found that since the UTM B lan I can still ping 10.242.2.1 (UTM A), this is the reason why the SSL tunnel is still established, however I still can not understand why it left to send all the traffic from UTM B to UTM A

Could someone help me with this?

 

 

 

 



This thread was automatically locked due to age.
Unfiltered HTML