[Vpn-help] no traffic is routed if using ipsec policy routes

Evan Kinney Evan.Kinney at sas.com
Fri Sep 4 21:09:25 CDT 2009


Using 2.1-rc3 on Win7 Enterprise x64 RTM.

Connecting to a Cisco concentrator that's using group auth with a PSK. The concentrator provides about 30 routes on connect in addition to a list of search domains and DNS servers - these do indeed get added to the Windows routing table, but no traffic can be routed to addresses in these networks. If I try to ping an address, it gives me an ICMP "destination host unreachable" reply from the address assigned to my tunnel the first time, and then just times out. Traceroute shows that it's trying to pass the traffic to my home router instead of through the tunnel.

If I uncheck the "Obtain Topology Automatically..." checkbox in the Policy tab, add in a route manually to one of our internal networks (10.0.0.0/8), and reconnect, I can connect to addresses within this network just fine (and, since the internal DNS servers are on this subnet, DNS works beautifully as well). The problem only seems to manifest itself if I let the routes get configured automatically based on the ipsec policies. I had a problem with the tunnel timing out from DPD failures, but that was a NAT issue - I now see the DPD acks in the IKE logs.

This config was imported from a PCF, if that makes any difference.

I'm not sure what information is needed from the logs, but I'll be glad to provide whatever anyone needs.

Thanks in advance for any help anyone can provide.


--
Evan Kinney
Systems Administrator, Research and Development
SAS Institute Inc.
1 SAS Campus Drive | Room RA409 | Cary, NC 27513 | United States
+1 919.265.9396 (m) | +1 919.531.2136 (o) | evan at txt.att.net (p)
evan.kinney at sas.com

SAS: THE POWER TO KNOW.(R)



More information about the vpn-help mailing list