Re: IPSEC routing ?
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Tue, 16 Dec 2008 17:05:53 -0600
Routing is not handled by the ISP. The ISP, or anything on the outside of
the Tunnel only see the "outside" of the Tunnel,...nothing sees the inside
of the Tunnel. It doesn't matter if it is PPTP, L2TP, or IPSec Tunneling.
Look at the routing situation. Routing has 3 componenets,...Source
Interface (IP#),...the Gateway (aka first-hop router),...and the
Destination.
Site-to-Site VPN and Remote Access VPN act totally different.....
With Remote Access VPN:
Source = the IP granted via DHCP [usually] that the Client received
when establishing the VPN connection.
Router = Same thing as the Source. Remote Access VPN works just
like a Dialup connection and the Client becomes their own Gateway for
anything that isn't on their own local subnet. This means that anything not
destined for the local subnet is passed to the "Dialup Adapter" **no matter
what it is**.
Destination = Just obvoiusly the Destiantion. Since it is not on
the Clients own local subnet the traffic is just "dropped" on the Dialup
Connection [aka the VPN] and it gets to where it is going.
With Site-to-Site VPN:
Site-to-Site VPN is completely different and works more like a Private
Leased Line. This means the VPN Router behaves just like a regular LAN
Router between two LAN or WAN segments,...that is a key point, so remember
that. The tunneling protocol (PPTP, L2TP, or IPSec Tunneling) is irrelevant
to the routing.
Source = The Client's own normal IP# on the LAN it lives on
Router = The routing device that creates the VPN Tunnel.
Destination = Just obvoiusly the Destiantion.
The LAN's Routing Scheme has to independently on its own know how to route
the traffic. Just because the Site-to-Site VPN link "exists" does not mean
it will get used. In a *multi-subnet* LAN there is already a LAN Router
handling the LAN's routing decisions,...so you just add a "route" to the LAN
Router that tells it to use the VPN Router as the "gateway" for the subnet
on the opposite side of the VPN. In some cases you may want to configure
your firewall device's LAT to include the remote subnet so that it doesn't
try to pass the traffic to the raw Internet and may need to add the same
"route" to the Firewall that you did the LAN Router.
But if you have a *single-subnet* LAN then there is no LAN Router, which is
bad,...and things can get ugly. Remember what I told you to remember up
above? Why?,...because your VPN Router just suddenly became the "official"
LAN Router for the LAN but unfortunately all the Clients are using the
Firewall as the Default Gateway instead of the VPN Router [now your LAN
Router]. To compound that the VPN Router is most likely using an Internet
located device as its Default Gateway and not your own Firewall, and if you
change that Default Gateway without "setting the stage" first you will take
down the Tunnel.
To compound it even more the Firewall [if it is a good one] will not handle
acting as a "router" by just giving it a Static Route to the VPN router for
the remote subnet because the traffic will appear spoofed. This happens
because the packets don't follow the same path in both directions,..so the
Firewall does not see both sides of the conversation which "breaks the
statefullness" and the traffic is then decared to be "spoofed" traffic.
This is called the "Network behind a Network Scenario".
Well, if we are only talking about one or two Client machines you can just
configure them with Static Routes to use the VPN Router for the remote
subnet. But if we are talking about the whole LAN that just isn't smart to
do. To satisfy the whole LAN you would have to:
1. Create a Static Route on the VPN Router that tells it to use its
favorite Internet device as the gateway to contact the Public IP of the VPN
Router on the other end. This will "set the stage" to be able to change its
Default Gateway to be the local Firewall while still being able to create
the Tunnel. Once the Tunnel is re-established again it should then know
what to do with the Private traffic already.
2. Create a Static Route on the Firewall that tells it to use the VPN
Router as the gateway to the Private Subnet on the other end of the VPN.
Then add the Private IP Range from the other subnet to the Firewall's LAT so
it doesn't confuse it for Internet traffic.
3. Configure all the Clients on the LAN to use the VPN Device as the
Default Gateway instead of the Firewall
From this point you will treat the VPN Router as the LAN Router and thesubnets on each side of the Tunnel will behave just like two subnets in the
same building together with a regular LAN router between them.
Now just when you think you have been punished enough,...you will have to
repeat all this on the opposite side of the Tunnel within the other LAN.
After all, it takes two sides, properly configured, to have a TCP/IP
converstation.
"Scott" <nospam123@xxxxxxxxxxx> wrote in message
news:ebKfZ25XJHA.1528@xxxxxxxxxxxxxxxxxxxxxxx
Have routing issue im trying to get my head around.
My network is setup like this:
-------------------------------------------------------------------------------------------------------
REMOTE NODE
(public ip)
|
|
NET
|
|
(public IP)
FIREWALL
(private ip range 192.168.50.0 /24)
|
|
SWITCH
|
|
(192.168.50.100)
SERVER (listening service)
-------------------------------------------------------------------------------------------------------
I have nodes sending data to my listening service using the PUBLIC IP as
the nodes target destination address, NAT to listening service, all works
fine.
I need to install an IPSEC vpn conneciton to allow additional nodes to
connect to my listening service over VPN. These nodes will use the target
destination IP 192.168.50.100 instead of a public IP. The routing at the
remote node end should be ok as managed by my ISP.
-------------------------------------------------------------------------------------------------------
REMOTE NODE
|
|
NET
|
|
(public IP)
FIREWALL
(private ip range 192.168.50.0 /24)
|
|
SWITCH _ _ _ _ _ _ (192.168.50.99) VPN TERMINATION HARDWARE (10.10.10.10)
_ _ _ _ _ _ _ _ _ _ _ _ (10.10.10.99) remote node
|
|
(192.168.50.100)
SERVER (listening service)
-------------------------------------------------------------------------------------------------------
1. My options are to install 3rd party VPN termation hardware as shown
above and make it form part of my 192.168.50.0 /24 private lan. If i do
this how can 192.168.50.100 route to 10.10.10.99 ? what do i need to
configure to ping 10.10.10.99 for example ?
2. I can probably get my FIREWALL to create the IPSEC conneciton to
(10.10.10.99) remote node. Again how can 192.168.50.100 route to
10.10.10.99 under this circumstance ? ... what would i need to configure
to ping 10.10.10.99 for example ?
I understand you cannot NAT over IPSEC.
Thank you for any advice.
.
- References:
- IPSEC routing ?
- From: Scott
- IPSEC routing ?
- Prev by Date: Master Browser on Subnet with no DC
- Next by Date: Re: Master Browser on Subnet with no DC
- Previous by thread: IPSEC routing ?
- Next by thread: Re: IPSEC routing ?
- Index(es):
Relevant Pages
|
