<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Sat, May 5, 2018 at 2:58 AM Arab Abdulla <<a href="mailto:arab666@protonmail.com">arab666@protonmail.com</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote style="padding:0px 0px 0px 1rem!important;margin:0px!important;border-left-width:4px!important;border-left-style:solid!important;border-left-color:rgb(229,229,229)!important;color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none" type="cite" class="m_5797200061479650019protonmail_quote"><div dir="ltr"><div class="gmail_quote"><div>Client 1 send the packet addressed for 8.8.4.4, and the server receives it. Now the server doesn't know about the routing tables on client 1: it only knows it has this packet addressed to 8.8.4.4. How does the server know a packet for 8.8.4.4 should go through client 2?<br></div></div></div></blockquote><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">It seems it's the root of the problem. Why the server does not know? Why gateway is not used? My routing on client 1 is:<br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">root@ubuntu1604:~# ip r g 8.8.4.4<br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">8.8.4.4 via 10.10.3.1 dev ipsec2  src 10.10.2.1<br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">    cache<br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">So, IPSEC should incapsulate its destination and sends traffic to 10.10.3.1, is not it? But, instead, on server I see (49 is client 1 and 47 is server):<br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">19:38:57.180893 IP 10.2.0.49.4500 > 10.2.0.47.4500: UDP-encap: ESP(spi=0xc3d23f24,seq=0xc), length 120<br></div><div style="color:rgb(85,85,85);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;font-size:14px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">19:38:57.180981 IP 10.10.2.1 > <a href="http://8.8.4.4" target="_blank">8.8.4.4</a>: ICMP echo request, id 13060, seq 12, length 64</div></blockquote><div><br></div><div>That's simply not how IP works. Without any special options, the IP header doesn't contain the path, but only the final destination. Nominally, the path is determined independently by each router deciding what the next hop is, and adjacent routers are on the same L2 network (which may be a point-to-point ethernet link of only two hosts, or in your case, a virtual one implemented as an IPsec tunnel.)</div><div><br></div><div>The canonical solution would be to have a route on the server (10.10.1.1, I think it was?). Other ideas involve an ipip tunnel between the clients (10.10.3.1 and 10.10.2.1), or possibly you can do something with IP source routing options.</div></div></div>