IPFire not routing through IPSec subnet

markusb · 9 June 2020 09:39

Hello everyone,

I have another problem with Routing and IPSec.
I have a working IPSec connection to a Cisco gateway.

I tested the connection with the host I want to reach directly listed in the remote subnet section:

Don’t know why I tested that, but it works. I can RDP into that machine.

Now, I really don’t want to do that because I want to reach different machines behind the gateway.
The remote subnet is rather big (and not in my control, it’s a customer network), I need to connect to the subnet
10.48.0.0/14

Now, if I change the settings to the correct subnet above, the IPSec link does come up, but I can’t any longer reach the destination machine under 10.48.193.140.

IPFire simply tells me “send: Operation not permitted” when I try to traceroute, or Destination network unreachable.

Why is the destination net unreachable? The target machine definately is in the range of the IPSec tunnel remote subnet.

pike_it · 9 June 2020 09:41

The tunnel ends only on that private IP, not the whole subnet.
Settings on both side of the tunnel must be changed to change the tunnel capabilites.

markusb · 9 June 2020 10:02

Funny thing is, I moved that IPSec connection from a hardware router (a LANCOM device) to IPFire.
No reconfiguration on the Customer endpoint, just internal changes on our site.

In the Lancom device, the big subnet is defined.
The big subnet definately works with a hardware IPSec router

markusb · 10 June 2020 09:55

OK, new findings.

We have multiple machines which we want to connect to, as I stated above.
When I put multiple machines in the “remote subnet” field, just the first one gets used and is available.

The second subnet seemingly doesn’t get connected/is not reachable.
IPFire tells me “send: Operation not permitted” on traceroute and “network unreachable” when I try to ping.

However:
When I open a second IPSec connection to the same host with the second IP as the remote subnet, both links come up and I can reach the second IP!
Why is this working as it is?
We can’t open more than two IPSec tunnels to the customer, a third one doesn’t get connected.

pike_it · 10 June 2020 11:07

I don’t know if IPFire support the environment “one gateway, multiple tunnels” than some other devices do, never had to try.
@ms?
AFAIK this is a “single Phase One, multiple Phase Two”

ms · 10 June 2020 11:17

Yes, IPFire supports that.