|
Posted by Ray Bellis on March 7, 2005, 12:47 pm
If you were Registered and logged in, you could reply and use other advanced thread options
We have a customer who is part of a (large) internal network using
10.0.0.0/8
Each department within the network is assigned a /16, and each site
within that department is assigned a /24 from that /16.
The routing within this network is handled by a managed VPN provider,
and each site has its own connection to the network - traffic from a
particular office does *not* route via the relevant department HQ back
to the core network.
Our customer is the HQ of the department using 10.225.1/24, and they
want to connect some new sites without using the managed VPN provider.
We had hoped to split out each of the /24s from 10.225.128.0 upwards,
and then use an IPSEC VPN between there and the main network, i.e.
+-----------------+ +-----------------+
| | | |
| 10.225.128.0/24 +---- VPN ----+ 10.225.1.0/24 |
| + | |
+-----------------+ +-----------------+
This works fine so long as we only want to talk to department HQ.
However they also need to be able to talk to other parts of the internal
network which are in other parts of the 10/8 network.
We therefore attempted to configure the VPN router at the
10.225.128.0/24 site with a remote IPSEC subnet of 10/8.
At this point that router stops responding to its configuration
interface! :(
We can only surmise that this is because the router sees incoming
packets on its LAN interface, and decides solely on the basis of the
tunnel's remote subnet that these packets must be tunneled, even though
they're addressed to the router's own LAN interface.
I'm lead to believe that this should be a perfectly normal
configuration, and yet it doesn't work properly on these Zyxel 662 DSL
routers.
Can anyone point me at some documentation that proves (or otherwise)
that the Zyxel behaviour is incorrect?
kind regards,
Ray
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map