Hi
>>>i think when the tunnel is enable the 192.168.1.1 traffic it gets rejected for some reason
>>>I think is a bug inside the router firmware.
1. I was expecting that this "may" happen (or rather would happen if there is no fix) when i suggested that you should use the summarized-subnet "192.168.0.0/255.255.0.0" in the vpn tunnel configs on each of the routers
- BUT i was hoping with fingers-crossed that this behavior "maybe" would have been fixed or not present in RV130/132 routers
- BUT i did not mention about this repurcussion before-hand becos i had to confirm that this may happen on the RV130/132 routers. Which you have now confirmed that this issue is definitely occuring
2. Yes it is a "bug" in the RV130/132 routers for sure.
Note: Its not an issue with RV160 though becos it has the required fixes/additional-configs that solves this problem of using summarized-subnets as traffic-selectors in vpn tunnels
3. Its not really a "bug" as in "bug", its actually a scenario in which there is a need to additionally add a "bypass-ipsec rule for local-subnet-to-local-subnet traffic"
a) You see say consider siteA-router:
lan-host/192.168.1.2----192.168.1.1[RV130]=====ipsec-tunnel===[RV160]
- now on this RV130 you have the ipsec tunnel policy configured as below:
192.168.1.0/24<>192.168.0.0/16 : Protect IPsec
- So when you ping from 192.168.1.2 to 192.168.1.1, whats happening is that this is ping-packet with destination 192.168.1.1 is matching the above ipsec policy to the destination-traffic-selector which is a summarized-subnet 192.168.0.0/16 (and 192.168.1.1 falls into this..eventhough its supposed to be directly-connected)
- and therefore this ping packet is being forwarded across the active ipsec tunnel upto the RV160...where it is dropped after decryption which is to be expected becos there is NO 192.168.1.1 destination on RV160...
b) This is a not a bug in the true-sense becos this is "routing" behavior and happens when you have vpn tunnel with a remote-destination traffic-selector that is a summarized-subnet of local-network-traffic-selector....
c) So generally the "fix" or the solution to these kind of scenarios where you may need to use summarized-subnets in the vpn-tunnels is to ensure that a "bypass-ipsec-for-local-subnet-to-local-subnet traffic" rule is added in the ipsec-policy alongwith the above policy
- this bypass policy would be something like below (it means - dont apply ipsec to traffic that is within the local-subnet:
192.168.1.0/24<>192.168.1.0/24: Bypass-IPsec
d) So in case of RV130/132, the automatic applying of the required bypass-ipsec rule/configuration is not being added on these routers in this specific vpn tunneling scenario (using summarized-subnets). Hence its a bug on these routers
e) And another point is that even in case, on RV130/132, if the subnet "ANY(0.0.0.0/0.0.0.0)" was allowed to be used, the same issue would have happened becos on these routers the bypass-ipsec/passthrough ipsec-policies/rules are NOT being added...so its a overall problem on RV130/132
4. So now to solve this issue in your network deployment, another config method needs to be applied - provided ofcourse it is supported on RV130/132
(Note: it is working on RV160/260/34X routers though as seen in attached screenshot of the config that i tried and it works on RV160/260/34X)
So can you kindly please try applying the below configs on each of the specified routers?
1. On-SiteA/RV130 router
a) Keep all configs as earlier for the tunnel to siteB/Hubgw, and
b) In the remote traffic selector give the below values
subnet:128.0.0.0
mask: 128.0.0.0
2. And on SiteC-RV132 router too
in the remote traffic selector, give the below:
subnet:128.0.0.0
mask: 128.0.0.0
3. On RV160
For each s2s tunnel, keep the existing configs as it is, and additionally change for Local-traffic selector from 192.168.0.0/16 to below:
Local subnet: 128.0.0.0
Mask: 128.0.0.0
Hopefully this above updated config should solve and fix the issues observed by you
best wishes
