Hi, im not sure if this is some kind of bug or by design but I thought i would ask.
Firstly check out this diagram I made: http://i.imgur.com/EUXqauH.png - I hope im allowed to post that link. The servers have default routes to their firewalls. Firewall A has a default route to 10.100.100.2 Firewall B has a default route to 10.100.100.1 I turn off ipsec, kill all my tunnels. Server A can ping Server Z and on both firewalls I see the ICMP traffic coming on em1. Great, thats exactly what I expected. In /etc/ipsec.conf on each firewall I set the peer to use the 172.16.0.x IP instead of using what I've set as the default gateways(don't ask why..). FW1: ike esp from 192.168.99.0/24 to 192.168.200.0/24 peer 172.16.0.2 FW2: ike esp from 192.168.200.0/24 to 192.168.99.0/24 peer 172.16.0.1 I enable isakmpd, enable ipsec, my flows/SADs are good. My continuous ping still works but now I have no traffic flowing through em1 and all traffic is encrypted and flowing over em2. I figure that ipsec is ignoring the routing table and sending that matching traffic to his peer. I deleted the default routes altogether since no traffic is being passed through there anymore. All my pings stopped working. Another interesting thing is it seems like as long as there is any kind of entry in the routing table for the network you're trying to reach, it will fix things: On FW1 and FW2 this fixed my pings between Server A and Server Z: # route add default 127.0.0.1 That fixes my pings. If I delete all default routes and add static routes: FW1: # route delete default # route add 192.168.200.0/24 127.0.0.1 FW2: # route delete default # route add 192.168.99.0/24 127.0.0.1 This also fixes my pings. I can also set the gateway to an IP that doesn't even exist: FW1: # route delete default # route add 192.168.200.0/24 192.168.99.45 FW2: # route delete default # route add 192.168.99.0/24 192.168.200.27 All of these things will fix my connectivity. The moment the route doesn't exist or I remove the default route it breaks everything. So I am wondering what is going on. I can fix my pings by adding fake routes, routes that point at a loopback address and creating default routes that lead to non-existant IP's, but everything seems to break if I delete the route altogether. Hopefully someone here can shed some light. If you need to see any config files, I can provide them but I felt like it's a pretty straight forward issue. Thanks
