Hello,
routers used by our company are connected to remote server using IPSec. It's "one-side" tunnel - we use remote subnet but don't share anything from us. This configuration worked great for a long time but suddenly a routing of remote subnet stopped working in the case of two devices (other are ok). Both have a common NAT (and always had). ISP and admin of the second network didn't find any issue (connection looks valid from his point of view). Any service restarts and router reboots don't help.
Firmware version: 7.02.04 (the latest) but on 7.01.04 it was similar.
Some output (from one router):
# cat /var/ipsec/ipsec.conf
# generated by /etc/init.d/ipsec
version 2
conn PAK-PAK_c
left=%any
right=<censored>
leftfirewall=yes
rightfirewall=yes
ikelifetime=24h
lifetime=12h
margintime=9m
keyingtries=3
dpdaction=none
dpddelay=30s
dpdtimeout=90s
leftauth=psk
rightauth=psk
rightsubnet=10.212.143.0/24
auto=start
leftsubnet=192.168.1.0/24
leftid=<censored>
forceencaps=no
type=tunnel
keyexchange=ikev2
esp=aes128-sha256-modp1536
ike=aes128-sha256-modp1536
rightsubnet=10.212.143.0/24
# ipsec status
Security Associations (1 up, 0 connecting):
PAK-PAK_c[6]: ESTABLISHED 10 hours ago, 192.168.192.201[<censored>]..<censored>[<censored>]
PAK-PAK_c{11}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c18d8d53_i 1a4f1a69_o
PAK-PAK_c{11}: 192.168.1.0/24 === 10.212.143.0/24
# ip route show table 220
10.212.143.0/24 via 192.168.192.254 dev eth1 proto static src 192.168.1.1
# traceroute 10.212.143.73
traceroute to 10.212.143.73 (10.212.143.73), 30 hops max, 38 byte packets
1 192.168.192.254 (192.168.192.254) 3.230 ms 1.283 ms 1.145 ms
2 10.0.0.109 (10.0.0.109) 12.199 ms 6.439 ms 7.442 ms
3 <censored public IP> (<censored public IP>) 12.660 ms 16.864 ms *
As you see, it tries to route a remote subnet via Internet instead of a tunnel.
Dump is null in the case of correct working routers.
192.168.192.0/24 is WAN subnet, 192.168.1.1/24 is LAN subnet, 10.212.143.0/24 is remote subnet.
Thank you for help.