I have successfully setup a gateway group to for two remote VPN gateways (remote appliance has two WAN links).
- Local LAN: 192.168.20.0/24
- Remote network: 172.16.0.0/16
- IPSec transport networks: 10.10.253.0/24, 10.10.254.0/24
I am directing traffic to the remote network via an incoming firewall rule on our internal interfaces:
Allow IPv4 - any protocol - from: anywhere - dst: remote network - gateway: gateway groupI added two incoming rules to the IPSec interface:
Allow IPv4 - any protocol - from: remote network - dst: anywhere
Allow IPv4 - any protocol - from: IPSec transport network - dst: anywhereI can ping the remote site fine - the problem is, the remote site can't ping anything in our local network.
On the remote firewall I can ping the gateway interfaces fine.
I performed a packet capture and I see the following:
enc0 10:28:15.045875 (authentic,confidential): SPI 0xc96d654d: IP 172.16.1.199 > 192.168.20.29: ICMP echo request, id 1, seq 8474, length 40
ix0_vlan20 10:28:15.045901 IP 172.16.1.199 > 192.168.20.29: ICMP echo request, id 1, seq 8474, length 40
ix0_vlan20 10:28:15.046003 IP 192.168.20.29 > 172.16.1.199: ICMP echo reply, id 1, seq 8474, length 40
It looks like the ICMP echo reply is lost on its way back to the gateway group. Is there something I am missing?
The only way I get this to work is when I add a static route via one of the remote gateways in the transport networks. Adding both doesn't really help in the case of fail-over as there's always just a single route in the routing table.
This is driving me crazy for some time now - I am short of trying some dynamic routing protocols...
I have exactly the same experience. Very frustrating...
I am heading for an OSPF setup now.