[Xorp-users] Problem routing to VPN subnets

Dirk dirk.schulz at kinzesberg.de
Sat Apr 19 09:24:26 PDT 2014 

Hi all,

I have a routing problem I am stuck with.

I have 2 routers, let's say router1 and router2. Both are using OSPFv2.

Router1 and router2 are sharing 2 physical subnets forming the backbone 
area and a third physical subnet forming another area. Then there is a 
OpenVPN on each router, using a unique subnet and area that is connected 
to this router only (let's say VPN1 und router1 and VPN2 on router2).

Now comes the weird part:
- "ip route show" in Linux shows a completely sensible routing table on 
both routers.
- "traceroute" used on each router for any possible destination shows 
the correct hops, also for VPN destinations to both VPNs.
But:
Packets destined for VPN1 coming from router2 are
- correctly forwarded to the tun0 interface and into the VPN if they 
come from the first physical subnet of the backbone area
- wrongly forwarded back to router2 if they come from the second 
physical subnet of the backbone area (and thus circling between router1 
and router2).
Packets destined for VPN2 coming from router1 are
- correctly forwarded to the tun0 interface and into the VPN if they 
come from the first physical subnet of the backbone area
- wrongly forwarded back to router2 if they come from the second 
physical subnet of the backbone area (and thus circling between router1 
and router2).
I found out the details of this behaviour using tcpdump on both routers 
and traceroute on hosts in both physical subnets. If necessary, I can 
show dumps of both commands.

The physical subnets in the backbone area definition are identical:
     area 0.0.0.0 {
         area-type: "normal"
         interface bond0 {
             vif bond0 {
                 address 93.94.81.251 {
                     priority: 128
                     hello-interval: 10
                     router-dead-interval: 40
                     interface-cost: 1
                     retransmit-interval: 2
                     transit-delay: 1
                     disable: false
                 }
             }
         }
         interface bond1 {
             vif bond1 {
                 address 93.94.82.59 {
                     priority: 128
                     hello-interval: 10
                     router-dead-interval: 40
                     interface-cost: 1
                     retransmit-interval: 2
                     transit-delay: 1
                     disable: false
                 }
             }
         }
     }

And the interface definitions are identical also:

     interface bond0 {
         description: "allcust bonding interface"
         disable: false
         default-system-config
     }

     interface bond1 {
         description: "own net bonding interface"
         disable: false
         default-system-config
     }

I do not see any config where this kind of "source based routing" 
behaviour can come from.

Another funny aspect of this is: This same setup has worked perfectly on 
CentOS 5 with xorp 1.6.x. The problem exists on CentOS 6 with xorp 1.8.5.

Any hint or help is appreciated.

Dirk

More information about the Xorp-users mailing list