IPsec and routing (OSPF) 🤯

Zergling · January 30, 2024, 2:57pm

I realize that transmitting packets over IPsec can blow your mind. But help me put my brain back together.
I have 3 routers A, B and C connected in OSPF. Each has a valid routing table:

K <----> (internet) <---> A <---> B <---> C

I connect computer K from the Internet to router A via IPsec and everything works fine until router C connects via IPsec (don’t ask why) to router A. I understand why router C no longer responds to the computer K via routing addressing (because IPsec for everyone devices distribute addresses in one subnet). But I cannot understand why router B stops responding to the computer K (if the query source is a subnet distributed by IPsec). Please help me understand.

Polices on router A:

 #      PEER                       TUNNEL SRC-ADDRESS                                                      DST-ADDRESS                                                      PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  *                                   0.0.0.0/0                                                        172.20.1.0/24                                                    all       
 1   DA  peer1                      yes    0.0.0.0/0                                                        172.20.1.5/32                                                    all        encrypt unique           1
 2 T                                      0.0.0.0/0                                                        172.30.1.0/24                                                    all       
 3   DA  peer1                      yes    0.0.0.0/0                                                        172.30.1.0/24                                                    all        encrypt unique           1

#1 is computer K
#3 is router C
Both templates have different group, but both peers get IP from the same subnet 172.20.1.0/24 by Mode Configs. So computer K gets as you see 172.20.1.5 and router C gets 172.20.1.21. 172.30.1.0/24 is local subnet of router C.

Zergling · January 30, 2024, 7:04pm

Solution:
Because router C, when establishing the IPsec connection, receives the IP address 172.20.1.21, but instead of adding it to the address list as a single address 172.20.1.21/32, it adds 172.20.1.21/24 with the entire subnet, which then broadcasts OSPF. And router B, upon receiving information about the new path, decides to respond to the 172.20.1.0/24 subnet through router C.