IPsec Gateway


This document describes some challenges and issues identified when testing and using vGateway to connect to the Acreto platform.


Default Route

Once vGateway connects to the Acreto platform, we:

  1. create a direct route to the Acreto platform (“right” server in IPSec nomenclature) via a local gateway, to ensure we can reach the server
  2. create a new default route that goes through vti- device
  3. remove the previous default route to disallow sending any traffic to the Internet if the tunnel is down

This causes several issues:

  1. DHCP can restore the default route when refreshing the lease
  2. If the interface goes down (like network cable disconnect or adapter failure), route in point 1 will disappear, making it impossible to maintain/reconnect ipsec connection (as our default route goes now through vti- device)

Note We are not deleting vti- device/route when the tunnel goes down because this causes a “no route to host” error. It means that any default route records in the routeing table will not be used, because they will have lower priority (higher metric) than vti- default route.