CentOS 7 behind VPN tunnel can't be pinged or accessed without IP forward turned on but rest of machines are fine

Question

Not sure if its the fact its behind router to router tunnel or something different in Centos 7. but I have 30 machines at a remote location I'm using a site to site tunnel from the local office to the remote office. Now all the Cent OS 6.2 systems are fine you can ping them over the tunnel, connect to them over the tunnel no issues what so ever. I installed a CentOS 7 machine later and could not connect to it through the tunnel and every other ping request times out.

without ip_forward=1:

Pinging 172.16.0.8 with 32 bytes of data:
Reply from 172.16.0.8: bytes=32 time=93ms TTL=62
Request timed out.
Reply from 172.16.0.8: bytes=32 time=94ms TTL=62
Request timed out.
Reply from 172.16.0.8: bytes=32 time=97ms TTL=62
Request timed out.

with ip_forward=1

Pinging 172.16.0.8 with 32 bytes of data:
Reply from 172.16.0.8: bytes=32 time=92ms TTL=62
Reply from 172.16.0.8: bytes=32 time=92ms TTL=62
Reply from 172.16.0.8: bytes=32 time=93ms TTL=62
Reply from 172.16.0.8: bytes=32 time=92ms TTL=62

Ping statistics for 172.16.0.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 92ms, Maximum = 93ms, Average = 92ms

without ip forwarding turned on via sysctl.conf I cannot ping or ssh to the centos 7 in the remote office thats connected via the vpn tunnel. I can connect to any 6.2 machine and ping them just fine so I know the tunnel is not an issue its an issue only with ver 7 of CentOS I can even RDP to the Windows 2008 and 2012 Servers and rdp to the Windows 10 Machine. As I have said this seems to be something only with CentOS 7. I can leave ip forwarding on I guess its no big deal

Am I doing something wrong with Cent OS7 ? Did they change something in CentOS7? or is this just normal behavior.

Now when I ping from the CentOS7 to a machine in the local office I do get these wierd replies:

PING 172.16.1.100 (172.16.1.100) 56(84) bytes of data. from 172.16.0.254: icmp_seq=1 Redirect Host(New nexthop: 172.16.1.100)

Not sure what this icmp redirect means 172.16.0.254 is the remote router its connected to I get the icp redirect wether ip forward is on or off.

both edge routers are running PFSense IPSec site-to-site tunnel.

Answer 1

OK I found the problem on pfsense forums so if anyone else has this wierd issue its a bug in PFSense's IPSec routing. PFsense sees the other end of the tunnel as a second router on the same lan segment, so what happens is it sends an icmp redirect thinking that the other router is a better route and this of coarse fails because the other router is only accessable through the tunnel, its not direcly accessable. Its easily fixed by going into PFsense admin site going to Advanced then System tuneables and setting icmp redirect to 0. at that point the machine at the remote site sends the packet to its router wich then sends the packet over the tunnel to the remote router wich then sends it where it has to go. Why enabling ip_forward on CentOS 7 got around this bug I still don't know.

But thats why the machine could not be accessed it was trying to use the icmp redirect to send the packet to a destination it could not reach.