[phima]

Dear all,

May I submit the following issue that some of you may have already encounter and solve ?

We have to migrate an old netfilter-based firewall to VPN-1 with ISP redundancy.
Let's say we have 2 ISPs, connected to the firewall through interconnection-only links, this way :
ISP1 Router : 200.1.1.1/29 - ISP1 firewall interface : 200.1.1.2/29
ISP2 Router : 100.2.1.1/29 - ISP2 firewall interface : 100.2.1.2/29
Additionnaly, each ISP router knows static routes to multiple IP blocks logically located behind the firewall :
ISP1 router knows that 201.1.1.0/25 is reachable via 200.1.1.2
ISP2 router knows that 101.1.1.0/25 and 102.1.1.0/24 are reachable via 200.2.1.2

We know that ISP redundancy works when NAT is performed from/to directly connected networks.
I mean that :
- if I perform nat from/to 200.1.1.3, the next hop will be 200.1.1.1
- If I perform nat from/ro 100.2.1.3, the next hop will be 100.2.1.1

But, when I perform nat from/to routed networks, the next hop used is the system's default one, so that networks
belonging to ISP2 might be seen as sources on ISP1's network, causing asymetric routing, and
concerned traffic to be dropped.
I tried to bybass this behaviour using source routing, but this does not work. I guess this is because routed networks are only used for nat, and no real IPs in the routed subnet really exist.

Can anybody help ?
Thanks,

Philippe / ExaProbe.