On Fri, 2021-07-16 at 20:14 +1000, Karl Auer wrote:
I have these two routers which *were* doing an IPSec VPN quite successfully, but for reasons unclear now no longer have a (VPN) connection. There is Internet connectivity between them, but IPsec stays stubbornly down. I'm at a bit of a loss, because the setup seems ridiculously simple!
I'm almost too embarrassed to write this, but here goes. Basically I made the cardinal mistake of assuming something instead of just noting the symptoms. I assumed the VPN was down; but all I really knew was that my test traffic was not being delivered as it should have been, and that it should have been going over the VPN. The policy at one end says run traffic over the VPN if it comes from 192.168.102.0/24 and is going to 192.168.103.0/24. The policy at the other end says vice versa. I was testing from the routers themselves - which have many interfaces and thus many possible source addresses. And I was not specifying a source address for my tests, so my test packets were not coming from source addresses that matched the policies. The penny dropped as I watched (for the thousandth time) a host unreachable come back from the ISP's next hop address, and oh-so- belatedly twigged that my test packets were not being directed over the VPN at all... As soon as I specified the right source addresses in my tests, the traffic went over the VPN. And when I then tested from the networks on the LAN sides of the routers (something I should have tried a lot earlier), that worked too. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160