Routing via Gateway Group

[adn77]

I have successfully setup a gateway group to for two remote VPN gateways (remote appliance has two WAN links).

• Local LAN: 192.168.20.0/24
• Remote network: 172.16.0.0/16
• IPSec transport networks: 10.10.253.0/24, 10.10.254.0/24

I am directing traffic to the remote network via an incoming firewall rule on our internal interfaces:

Code Select Expand

Allow IPv4 - any protocol - from: anywhere - dst: remote network - gateway: gateway group

I added two incoming rules to the IPSec interface:

Code Select Expand

Allow IPv4 - any protocol - from: remote network - dst: anywhere
Allow IPv4 - any protocol - from: IPSec transport network - dst: anywhere

I can ping the remote site fine - the problem is, the remote site can't ping anything in our local network.
On the remote firewall I can ping the gateway interfaces fine.

I performed a packet capture and I see the following:

Code Select Expand

enc0 10:28:15.045875 (authentic,confidential): SPI 0xc96d654d: IP 172.16.1.199 > 192.168.20.29: ICMP echo request, id 1, seq 8474, length 40
ix0_vlan20 10:28:15.045901 IP 172.16.1.199 > 192.168.20.29: ICMP echo request, id 1, seq 8474, length 40
ix0_vlan20 10:28:15.046003 IP 192.168.20.29 > 172.16.1.199: ICMP echo reply, id 1, seq 8474, length 40


It looks like the ICMP echo reply is lost on its way back to the gateway group. Is there something I am missing?

The only way I get this to work is when I add a static route via one of the remote gateways in the transport networks. Adding both doesn't really help in the case of fail-over as there's always just a single route in the routing table.

This is driving me crazy for some time now - I am short of trying some dynamic routing protocols...

[JacBra]

I have exactly the same experience. Very frustrating...
I am heading for an OSPF setup now.