I'm testing a site-to-site configuration from Openwrt to a commercial gateway (paloalto). I can estabilish the tunnel and communicate from the gateway side (rightsubnet) to Openwrt and the clients behind it (leftsubnet) but I cant communicate from Openwrt itself and its clients to the network behind the gateway. To communicate from rightsubnet to leftsubnet I had to add
/etc/config/firewall
config forwarding 'allow_right_to_left'
option src 'wan'
option dest 'lan'
When I try to communicate from leftsubnet to rightsubnet I see the following where eth2 is the interface connected to the modem,192.168.0.157 is the wan IP given by the modem and 172.30.142.2 is a host at rightsubnet. The actual source of the package is 192.168.123.12.
root@OPENWRT:~# tcpdump -i eth2 -n dst host 172.30.142.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
13:10:28.470120 IP 192.168.0.157 > 172.30.142.2: ICMP echo request, id 1, seq 8, length 40
13:10:33.483124 IP 192.168.0.157 > 172.30.142.2: ICMP echo request, id 1, seq 9, length 40
There is no traffic getting to the gateway of rightsubnet so I assume this package is not being tunneled. What can I look at to solve this? It's clear that the package is crossing the lan to wan bondary of openwrt but after that I'm not sure what behaviour I should see.
This is my ipsec statusall output regarding the left and righ sides:
paloalto{3}: 192.168.123.0/24 === 172.16.0.0/12