|
Why are my VPN packets being routed through the wrong interface? In most circumstances the external interface (default gateway) is used to route out ESP (IPSEC) packets over the internet to a remote node. In some situations you might route a VPN over a network that has not got the default gateway assigned to it (An internal network). When an outbound packet hits the firewall from your local encryption domain which is destined to be encrypted, it is passed up the stack TCP/IP and then routed to the interface which holds the route for the remote encryption domain before being encapsulated and routed onward. Normally this is the external internet facing NIC so the packet finds its way to the correct interface. In a situation where you want to route the packet through a different interface you have to add a route to the remote networks encryption domain otherwise the packet is passed to the network card that has the default route. Even though you can route to the remote VPN tunnel endpoint you must also add a route to the remote encryption domain otherwise the packets will be routed out of the default gateway. You may also see ICMP redirect packets from the firewall internal interface being sent back to the node initiating the VPN.
Added 29 APR 2003
|