IPSec tunnel monitoring fails

Security Gateway Discussions
Post Reply
Posts: 39
Joined: 13 Feb 2018, 16:20

IPSec tunnel monitoring fails

Post by SECOIT GmbH » 17 Jan 2020, 12:10

Hi All,

I have a customer with two nearby sites.
The main traffic between both sites goes via a 24 GHz wireless point to point connection. For this connection I have added a static route in "main" on both sites.
So far so good.

Since it is important both site can communicate any time I added a VPN IKEv2 site2site fallback tunnel via their internet provider in case the Wireless PTP ever fails.

So I did a few things:
- I changed the route metric for the wireless PTP connection to 80 and added route monitoring using the firewalls LAN IP address on the opposite site. works.
- I added an IPSec tunnel using IKEv2 with "auto establish" and DPD on.
On the advanced tab: "Add route dynamically" is unchecked, "Add route statically" is checked. Route metric is 90 so that the wireless PTP (metric 80) is preferred as long as the route monitor doesn't disable the route.
Also I set up tunnel monitor (which I normally always do) on the advanced tab to ping the gateway's LAN address on the opposite site. This is what fails. The tunnel monitor doesn't get a ping reply and the monitored host seems down even it's not.

On my log server I see the following:
event: ruleset_drop_packet / rule: Default_Access_Rule
So I added a access rule on both sites allowing traffic on the IPSec interface from the opposite site and the ping (echo requests) for the tunnel monitor now pass through but the echo reply still isn't sent via the IPSec tunnel - cOS Core rather sents it via the Wireless PTP connection with the lower metric (asymmetric routing). That causes the ping reply to be discarded and the monitored host still seems down.
event: no_new_conn_for_this_packet / action:drop
Any idea how I can get the IPSec tunnel monitor running with this setup?

Best Rregards

anders s
Posts: 36
Joined: 27 Sep 2011, 14:41

Re: IPSec tunnel monitoring fails

Post by anders s » 21 Jan 2020, 15:56


Create two additional routing tables:
ipsec - contains the remote network over ipsec interface
wireless - contains the remote network over wireless interface with gateway and the network of the wireless interface

Create two routing rules:
from ipsec all-nets to any all-nets - forward main, return ipsec
from wireless all-nets to any all-nets - forward main, return wireless

same on both sides. This will ensure that return traffic is always sent through the same interface as it is received on.


Post Reply