[pfSense] IPSec tunnel and routing on a CentOS 7 machine

Mon, 04 Jan 2016 11:00:12 -0800

Hello, I've searched high and low to elucidate this one but so far nothing has queued me in the right direction so I'm turning to the network experts herein.
Let me give you a little bit of context and expose my problem. Feel free to ask if more details are needed. 

I have 2 pfSense firewall in 2 separate locations.


Both access the internet directly.  An IPSec tunnel has been created so 
that the services of both locations are accessible on both sides.


I have multiple servers on both sides both Windows and Linux.


Some servers have a single nic, others have 2 nics, one in the LAN and 
one on the WAN for direct service access purposes.


Both ends are in separate subnets.

Site A:
192.168.1.0/24
pfSense 192.168.1.1

Site B:
192.168.2.0/24
pfSense 192.168.2.1


The tunnel is up and running.  Since both sites are for the same 
project, both firewalls have a "pass all IPV4" in the IPSec rules.



192.168.1.2 (Windows server with single nic) can ping 192.168.2.2 
(Windows server with single nic) and vice-versa.
192.168.1.3 (Windows server with 2 nics) required a new route (route add 
-net 192.168.2.0/24 gw 192.168.1.1) to be able to ping 192.168.2.2 and 
the ping works both ways.


Here comes my problem.

192.168.1.4 is a CentOS 7 machine.  It has 2 nics, one on the LAN 
(192.168.1.4) and one on the WAN.  The default gateway for this machine 
is obviously on the WAN side.



Try as much as I can, I never managed to add a route that would allow 
traffic to be routed to 192.168.2.0 through 192.168.1.1.


route -n add -net 192.168.2.0/24 -m 100 gw 192.168.1.1

route -n:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref Use Iface

0.0.0.0         167.114.xxx.xxx 0.0.0.0         UG    100 0        0 
eno1678003
167.114.xxx.xxx 0.0.0.0         255.255.255.248 U     100 0        0 
eno1678003

192.168.1.0    0.0.0.0         255.255.255.0   U     100    0 0 eno3355929
192.168.2.0    192.168.1.1    255.255.255.0   UG    0      0 0 eno3355929


I tried many a thing and exhausted my bag of tricks (and Google's as far 
as I am concerned)



I temporarily deactivated FirewallD on the CentOS machine and nothing 
changed.


Here's the output of the ping:

ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
From 192.168.1.1: icmp_seq=1 Redirect Host(New nexthop: 192.168.1.2)

From 192.168.1.1 icmp_seq=1 Redirect Host64 bytes from 192.168.2.2: 
icmp_seq=1 ttl=126 time=80.9 ms

From 192.168.1.4 icmp_seq=2 Destination Host Unreachable
From 192.168.1.4 icmp_seq=3 Destination Host Unreachable
From 192.168.1.4 icmp_seq=4 Destination Host Unreachable
From 192.168.1.4 icmp_seq=5 Destination Host Unreachable

Now seing the redirect, I tried to deactivate it, here's the result:

sysctl -w net/ipv4/conf/eno3355929/accept_redirects=0
sysctl -w net/ipv4/conf/eno3355929/send_redirects=0

PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
From 192.168.1.4 icmp_seq=1 Destination Host Unreachable
From 192.168.1.4 icmp_seq=2 Destination Host Unreachable
From 192.168.1.4 icmp_seq=3 Destination Host Unreachable
From 192.168.1.4 icmp_seq=4 Destination Host Unreachable

ifconfig output:

eno1678003: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 167.114.xxx.xxx  netmask 255.255.255.248  broadcast 
167.114.xxx.xxx

        inet6 fe80::250:::xxxx  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 4546  bytes 347948 (339.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 498  bytes 124662 (121.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno3355929: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.4  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::250:::xxx  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 4908  bytes 392770 (383.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 979  bytes 129316 (126.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 136  bytes 153735 (150.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 136  bytes 153735 (150.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



What really stumps me is that everything is fine on the Windows side of 
the servers...  That CentOS machine is the first that really won't work.



I tought about moving the machine behind the pFsense, but the move has 
not been approved by the application supplier so, for now, not an option.



The setup is quite simple so I'm assuming it's just a little bit of 
configuration that is missing, and my Google foo is not elevated enough 
to find it.  I hope you guys can help me figure it out...


--
Sébastien La Madeleine

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold





















					Reply via email to