Remote Access routing across Site to Site VPN

martho · #1 (**permalink**) 07-06-2009, 09:40 PM

I have four Astaro systems, all acting as the only gateway for their respective networks. The systems are connected via Site to Site VPN's and I and ping all hosts across the WAN as expected. My primary site also supports Remote Access for a number of users.

The problem: Remote Access users can only ping hosts on the primary site (A) network. I have the Remote Access network included in the valid networks for the Site to Site connection on both ends. When I review the routes reported in the support-advanced section it all appears correct on both ends, yet I cannot ping any host on the remote site (B), including the Astaro itself. I can see where the site B router knows the Remote Access network (10.242.2.0) is available through the ipsec Site to Site VPN back to site A.

Additional info: We have our Remote Access network specified in the masquerading table mapped to the internal network per Astaro support instructions. This was to insure proper route insertion on the remote access client side.

Site A route table:
10.242.2.2 dev tun0 proto kernel scope link src 10.242.2.1
72.48.117.176/28 dev eth1 proto kernel scope link src 72.48.117.179
10.242.2.0/24 via 10.242.2.2 dev tun0
192.168.200.0/24 dev eth4 proto kernel scope link src 192.168.200.1
192.168.202.0/24 dev ipsec0 proto 42 scope link
192.168.203.0/24 dev ipsec0 proto 42 scope link src 192.168.200.1
192.168.205.0/24 dev ipsec0 proto 42 scope link src 192.168.200.1
192.168.210.0/24 dev eth2 proto kernel scope link src 192.168.210.1
127.0.0.0/8 dev lo scope link
default via 72.48.117.177 dev eth1 proto kernel
local 10.242.2.1 dev tun0 table local proto kernel scope host src 10.242.2.1
broadcast 72.48.117.176 dev eth1 table local proto kernel scope link src 72.48.117.179
local 72.48.117.178 dev eth1 table local proto kernel scope host src 72.48.117.179
local 72.48.117.179 dev eth1 table local proto kernel scope host src 72.48.117.179
local 72.48.117.179 dev ipsec0 table local proto kernel scope host src 72.48.117.179
local 72.48.117.180 dev eth1 table local proto kernel scope host src 72.48.117.179
local 72.48.117.181 dev eth1 table local proto kernel scope host src 72.48.117.179
local 72.48.117.182 dev eth1 table local proto kernel scope host src 72.48.117.179
local 72.48.117.183 dev eth1 table local proto kernel scope host src 72.48.117.179
local 72.48.117.184 dev eth1 table local proto kernel scope host src 72.48.117.179
broadcast 72.48.117.191 dev eth1 table local proto kernel scope link src 72.48.117.179
broadcast 72.48.117.191 dev ipsec0 table local proto kernel scope link src 72.48.117.179
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.200.0 dev eth4 table local proto kernel scope link src 192.168.200.1
local 192.168.200.1 dev eth4 table local proto kernel scope host src 192.168.200.1
local 192.168.200.2 dev eth4 table local proto kernel scope host src 192.168.200.1
broadcast 192.168.200.255 dev eth4 table local proto kernel scope link src 192.168.200.1
broadcast 192.168.210.0 dev eth2 table local proto kernel scope link src 192.168.210.1
local 192.168.210.1 dev eth2 table local proto kernel scope host src 192.168.210.1
broadcast 192.168.210.255 dev eth2 table local proto kernel scope link src 192.168.210.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1

Site B route table:
default via 71.40.255.49 dev eth1 table default proto kernel
71.40.255.48/30 dev eth1 proto kernel scope link src 71.40.255.50
10.242.2.0/24 dev ipsec0 proto 42 scope link src 192.168.202.1
192.168.200.0/24 dev ipsec0 proto 42 scope link src 192.168.202.1
192.168.202.0/24 dev eth0 proto kernel scope link src 192.168.202.1
192.168.203.0/24 dev ipsec0 proto 42 scope link src 192.168.202.1
192.168.252.0/24 dev eth2 proto kernel scope link src 192.168.252.1
127.0.0.0/8 dev lo scope link
broadcast 71.40.255.48 dev eth1 table local proto kernel scope link src 71.40.255.50
local 71.40.255.50 dev eth1 table local proto kernel scope host src 71.40.255.50
local 71.40.255.50 dev ipsec0 table local proto kernel scope host src 71.40.255.50
broadcast 71.40.255.51 dev eth1 table local proto kernel scope link src 71.40.255.50
broadcast 71.40.255.51 dev ipsec0 table local proto kernel scope link src 71.40.255.50
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.202.0 dev eth0 table local proto kernel scope link src 192.168.202.1
local 192.168.202.1 dev eth0 table local proto kernel scope host src 192.168.202.1
broadcast 192.168.202.255 dev eth0 table local proto kernel scope link src 192.168.202.1
broadcast 192.168.252.0 dev eth2 table local proto kernel scope link src 192.168.252.1
local 192.168.252.1 dev eth2 table local proto kernel scope host src 192.168.252.1
broadcast 192.168.252.255 dev eth2 table local proto kernel scope link src 192.168.252.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1

martho · #2 (**permalink**) 07-06-2009, 09:55 PM

I found where we had failed to include the remote site networks in the "local networks" configuration for the SSL Remote Access. Once I added the site B network and reestablished the connection, I was able to ping hosts on the site B network.