SecureClient routing stops after changing from IPSO to SPLAT

[rubber_chicken]

Hi all,

Apologies if I’ve miss-posted this. I suspect this a version difference, although it could be a routing issue or a SecureClient issue.

I’ve got a legacy system (six R55 boxes running on Nokia) with an R61 Management box running on Win 2003. To allow users to VPN into one main site and connect through there to other sites we use the vpn_route.conf config file.

Last week, the hard drive died in one of the main Nokia boxes. I built an R61 SPLAT box to replace it. All is back up and working well except the SecureClient routing. I can see the traffic being encrypted, but I’m not getting a connection.

Consider the following simplified setup



GW1 is a Nokia running R55. Internal anti-spoofing is 10.1.0.0/16
GW2 is a SPLAT running R61. Internal anti-spoofing is 10.2.0.0/16
Office mode pool for GW1 is 10.1.254.0/24
Office mode pool for GW2 is 10.2.254.0/24

If I connect using SecureClient via GW1 I can get to all networks
If I connect using SecureClient via GW2 I can only get to LAN2, 1, 3 & 5.

I’ve confirmed that the routes are correct on the new GW2 as I have full connectivity via the site to site VPN. I’ve also confirmed the return route on the router on LAN2 (sorry not drawn) returns traffic for the Office mode pool 10.2.254.0 back to GW2

Hence, I suspect that there is an option that I have not turned on in SPLAT to enable this.

No routes have been changed (other than being redone on the new GW2) and until the unit died, it was working fine.

Any ideas?

[melipla]

From your drawing it appears that LAN4 and LAN6 are routed through LAN2?

Since 4 & 6 aren't working for SecureClient sourced IPs but are working for LAN1/3/5/2 sources then that indicates a problem with routing for these two networks w/secureclient addresses. Since GW 2's OM IPs can access LAN2, then the disconnect in routing must be the return path for LAN4/6 to GW 2's OM IPs.

[rubber_chicken]

Hi,

Apologies for the delay in getting back to you. A long Xmas/New Years break (it's a glorious summer here in NZ) made me forget all about work. I resolved this, and yes it was a routing issue made by my own haste.

In my rush to rebuild the broken system, I had added a route for the Office Mode pool on GW2 that caused a routing loop between it and the core router in LAN2.

As soon as I removed this offending route all started working perfectly again.

Thanks very much for your time to reply, it made me go through and justify all my static routes. It is greatly appreciated.