<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hi,</div>
<div> </div>
<div>I'm trying to configure a responder for use in a "roadwarrior" scenario, albeit unsuccessfully.</div>
<div> </div>
<div>Topology/Config:</div>
<div> </div>
<div>-ip route<br/>
default via 192.168.1.254 dev eth0 src 192.168.1.1 metric 202<br/>
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 metric 202</div>
<div> </div>
<div>Default gateway @ 192.168.1.254 provides internet access and also inbound NAT forwarding of ports 500/4500 from an internet IP.</div>
<div> </div>
<div>-ipsec.conf:</div>
<div> </div>
<div>
<div>conn %default<br/>
ikelifetime=60m<br/>
keylife=20m<br/>
rekeymargin=3m<br/>
keyingtries=1<br/>
keyexchange=ikev1</div>
<div>conn rw<br/>
left=192.168.1.1<br/>
leftsubnet=0.0.0.0/0<br/>
leftauth=psk<br/>
right=%any<br/>
rightauth=psk<br/>
rightauth2=xauth<br/>
auto=add<br/>
rightsourceip=%dhcp</div>
<div> </div>
<div>-ip route show table 220<br/>
192.168.1.50 via 192.168.1.254 dev eth0 proto static</div>
<div> </div>
<div>Symptoms:</div>
</div>
<div> </div>
<div>I am able to establish a VPN connection from the internet to the responder and the client is assigned an IP from the DHCP pool.</div>
<div> </div>
<div>The responder can ping the client's IP address assigned from DHCP - therefore 2-way communication over the tunnel. The remote internet client can also send packets over the tunnel to the rest of the 192.168.1.0/24 subnet which reach their destination (e.g. to 192.168.1.2). The responder then correctly replies to ARP on behalf of the clients address (e.g. 192.168.1.50) and the return packet arrives to the responders interface. However, the responder is replying with ICMP redirect to 192.168.1.254 to the sender and therefore the return packet does not reach the client.</div>
<div> </div>
<div>Any ideas?</div>
<div> </div>
<div>Cheers,</div>
<div> </div>
<div>Michael.</div>
<div> </div>
<div> </div>
<div> </div></div></body></html>