Hi,
We are trying to build a configuration with 2 Pritunl servers on OCI, accessing on-premises servers through an OCI IPSEC gateway
We need to manage multiple population types and access rules, so we will use multiple VPN ranges ; NAT is disabled on the on-premises range.
VXLAN is enabled on both servers to allow them to share the VPN range, and it works : clients connected on 2 different servers can see each other
OCI route advertisement is configured and works too, however it also publishes the VXLAN range 100.97.162.0/24 ; I’m not sure if this is useful/normal ?
Now the issue : when connected on the server NOT advertised, we can’t open an SSH session to our on-premises server ; however it works OK on the advertised server
I believe it’s an issue of asymmetric routing : on the non-advertised server, packets go out directly through the gateway, but they come back through the advertised server and the VXLAN, causing the issue
To solve it, I added a rule on the non-advertised server to forward all the packets, sent to the on-premises server and originating from the VPN range, to the advertised server through the VXLAN interface
In that way, sent and received packets follow the same routes
Here is what I used (on-premises 192.168.3.0/24, VPN range 171.7.100.0/24)
sudo ip route add table 162 192.168.3.0/24 via 100.97.162.1
sudo ip rule add table 162 from 172.17.100.0/24
And it works!
Could you please add an option somewhere to automate this in the route advertisement module ?
Thanks