I have a WR44 on a statically addresses PPPoE connection. This router is connected to by 3 other WR44 units over IPsec and a single Linux host that is using GRE tunnels inside IPSec tunnels.
The problem is the Linux host cannot ping any of the IPSec connected WR44 units, it can only ping and communicate with the DSL connected outer and the network’s behind it.
This is very odd.
I have anohter side with a WR44 host as the IPSec responder and the WR21 in the field connected to the WR44 over IPsec. The bahavior is the same. Connecting a linux host to the WR44 using GRE inside IPSec tunnels cannot ping the otehr WR IPSec connected units.
Why are the eroutes not forwarding the packets to the other networks?
I have an update to this…
None of the filed WR44 spokes connected to the hub WR44 over IPSec can ping each other. That is, the spokes can only ping the hub but the spokes cannot ping each other. The WR44 hub is not properly routing the packets.
I can’t put a static route in for this as the eroutes (the IPSec tunnels) aren’t interfaces so there is no way to statically route this stuff. The WR44 should pick this up as a dynamic route and insert the destination in the routing table as directly connected…but its not doing that.
“The WR44 should pick this up as a dynamic route and insert the destination in the routing table as directly connected”
No, this is not the normal operating of a WR44. It is only a recently available option to insert the route into the routing table but it is not activated by default.
Do you see your SAs get built?
Yes, the SAs are all there. Data is flowing nicely from the spokes to the hub. The data just can’t flow from the the spokes to the spokes.
" It is only a recently available option to insert the route into the routing table but it is not activated by default."
How does one activate it? I don’t see that anywhere in the docs or app notes.
In the IPsec config on the spokes, the remote LAN subnet needs to be wide enough encompass all networks that should be accessed over the IPsec VPN. The hub router IPsec config should be modified so the local and remote LAN subnet selectors are set the match the modified config on the spokes.
If you have used contiguous subnets then the task will be relatively easy.
The work around to do this is to use the GRE tunnels.
You then use static routes (tested) or in theory you could also use OSPF or Rip and it will all work.
to have spoke to spoke comunication via the hub you have to have the eroute network selecters in the eroute configured to cover the ranges of all the subnets used on the remote sites.
site 1 -> 192.168.1.x
site 2 -> 192.168.2.x
site 3 -> 192.168.3.x
Hub -> 192.168.0.x
were normaly the site would use selectors of
192.168.1.x /24 -> 192.168.0.x /24
you would have to use
192.168.1.x /24 -> 192.168.0.x / 16
this would allow any traffic to the 192.168.x.x to enter the tunnel and go to the hub
any traffic that hits the hub that is not for the local lan would then be pushed back out the wan interface and at that point match one of the other eroutes
routing the new feature to inject into the routeing table will not help as you cannot setup a static route to the eroute it is more for refrence in the routeing table and also to be used to inject into BGP or OSPF for other routers in they talk to
if you want to use GRE over ipsec this would work but at this point you would have to use a static routes for each site or a routing protocol to update all the spoles when on line with updates of site available