Site to site VPNs - how they work

Site to site VPNs - how they work
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.vpn  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Site to site VPNs - how they work Fred Marshall 07-02-2007
Posted by Fred Marshall on July 2, 2007, 5:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I have a site to site VPN set up.
Of course, the subnets are different on each side of the tunnel.

I've been led to understand that there is no special routing needed for
packets to get from one side of the tunnel to the other. But, that seems
curious and I'd like to understand it better.

For one thing, I can imagine that there would be a gateway router on each
subnet and that the gateway router would route all traffic going to the
remote subnet to the local VPN IP address as the next hop. I can't imagine
that this is somehow bad practice.

Lacking that type of implementation, how do the packets destined for the VPN
know where the VPN is? Is there some kind of broadcast or what? I can't
imagine that all packets destined for the VPN are broadcast .... ?

Thanks,

Fred



home networking made easy, greater protection, less stress, introducing nm 5.0, 728x90
Posted by Michael Ziegler on July 2, 2007, 6:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Fred Marshall wrote:
> For one thing, I can imagine that there would be a gateway router on each
> subnet and that the gateway router would route all traffic going to the
> remote subnet to the local VPN IP address as the next hop. I can't imagine
> that this is somehow bad practice.

These gateways would naturally be the machines that establish the VPN
connection.
You need to set these up so they do routing in two directions, namely
VPN <-> LAN.

Then, you tell your clients (or, the default gateways these clients use)
that they reach the other site via the gateway machine that runs the
VPN, and that's it :)

eg:
Site1:
network: 192.168.1.0/24
router to internet: 192.168.1.1
vpn gateway: 192.168.1.254
vpn address: 10.8.0.1

Site2:
network: 192.168.2.0/24
router to internet: 192.168.2.1
vpn gateway: 192.168.2.254,
vpn address: 10.8.0.2

Route to set on machine 192.168.1.1:
| route add -net 192.168.2.0/24 gw 192.168.1.254

Route to set on machine 192.168.1.254:
| route add -net 192.168.2.0/24 gw 10.8.0.2

Route to set on machine 192.168.2.1:
| route add -net 192.168.1.0/24 gw 192.168.2.254

Route to set on machine 192.168.2.254:
| route add -net 192.168.1.0/24 gw 10.8.0.1

That should do the trick :)

I'm not sure if these routes are sufficient on the VPN gateways, though,
as I'm not familiar with how to setup this without using a shorewall :D

> Lacking that type of implementation, how do the packets destined for the VPN
> know where the VPN is? Is there some kind of broadcast or what? I can't
> imagine that all packets destined for the VPN are broadcast .... ?

What do you mean?


Regards,
Michael

Posted by Fred Marshall on July 3, 2007, 12:02 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Fred Marshall wrote:
>> For one thing, I can imagine that there would be a gateway router on each
>> subnet and that the gateway router would route all traffic going to the
>> remote subnet to the local VPN IP address as the next hop. I can't
>> imagine that this is somehow bad practice.
>
> These gateways would naturally be the machines that establish the VPN
> connection.
> You need to set these up so they do routing in two directions, namely VPN
> <-> LAN.
>
> Then, you tell your clients (or, the default gateways these clients use)
> that they reach the other site via the gateway machine that runs the VPN,
> and that's it :)
>
> eg:
> Site1:
> network: 192.168.1.0/24
> router to internet: 192.168.1.1
> vpn gateway: 192.168.1.254
> vpn address: 10.8.0.1
>
> Site2:
> network: 192.168.2.0/24
> router to internet: 192.168.2.1
> vpn gateway: 192.168.2.254,
> vpn address: 10.8.0.2
>
> Route to set on machine 192.168.1.1:
> | route add -net 192.168.2.0/24 gw 192.168.1.254
>
> Route to set on machine 192.168.1.254:
> | route add -net 192.168.2.0/24 gw 10.8.0.2
>
> Route to set on machine 192.168.2.1:
> | route add -net 192.168.1.0/24 gw 192.168.2.254
>
> Route to set on machine 192.168.2.254:
> | route add -net 192.168.1.0/24 gw 10.8.0.1
>
> That should do the trick :)
>
> I'm not sure if these routes are sufficient on the VPN gateways, though,
> as I'm not familiar with how to setup this without using a shorewall :D
>
>> Lacking that type of implementation, how do the packets destined for the
>> VPN know where the VPN is? Is there some kind of broadcast or what? I
>> can't imagine that all packets destined for the VPN are broadcast .... ?
>
> What do you mean?

To your last question: it appears it doesn't apply because of the first part
of your answer.

I suppose that some folks use a gateway router to also implement their VPNs.
Then the next hop targetting would be dealt with almost by default.

However, if the VPN device is separate (in parallel with the internet
router) then it appears it needs to be explicitly targetted with routes as
you've suggested.

Thanks,

Fred



Posted by Michael Ziegler on July 3, 2007, 2:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Fred Marshall wrote:
>>> Lacking that type of implementation, how do the packets destined for the
>>> VPN know where the VPN is? Is there some kind of broadcast or what? I
>>> can't imagine that all packets destined for the VPN are broadcast .... ?
>> What do you mean?
>
> To your last question: it appears it doesn't apply because of the first part
> of your answer.
>
> I suppose that some folks use a gateway router to also implement their VPNs.
> Then the next hop targetting would be dealt with almost by default.

If you mean that the machine/box/whatever that all clients in the
network use as their default router is the one that establishes the VPN,
then yes, because the router then knows everything it needs.

> However, if the VPN device is separate (in parallel with the internet
> router) then it appears it needs to be explicitly targetted with routes as
> you've suggested.

In that case, either each client in the network needs to know that
route, or their default router. Otherwise, these clients' packages would
be sent into the internet instead of the VPN because no-one would talk
to the correct router :)

Regards,
Michael

Posted by Fred Marshall on July 3, 2007, 4:50 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Fred Marshall wrote:
>> For one thing, I can imagine that there would be a gateway router on each
>> subnet and that the gateway router would route all traffic going to the
>> remote subnet to the local VPN IP address as the next hop. I can't
>> imagine that this is somehow bad practice.
>
> These gateways would naturally be the machines that establish the VPN
> connection.
> You need to set these up so they do routing in two directions, namely VPN
> <-> LAN.
>
> Then, you tell your clients (or, the default gateways these clients use)
> that they reach the other site via the gateway machine that runs the VPN,
> and that's it :)
>
> eg:
> Site1:
> network: 192.168.1.0/24
> router to internet: 192.168.1.1
> vpn gateway: 192.168.1.254
> vpn address: 10.8.0.1
>
> Site2:
> network: 192.168.2.0/24
> router to internet: 192.168.2.1
> vpn gateway: 192.168.2.254,
> vpn address: 10.8.0.2
>
> Route to set on machine 192.168.1.1:
> | route add -net 192.168.2.0/24 gw 192.168.1.254
>
> Route to set on machine 192.168.1.254:
> | route add -net 192.168.2.0/24 gw 10.8.0.2
>
> Route to set on machine 192.168.2.1:
> | route add -net 192.168.1.0/24 gw 192.168.2.254
>
> Route to set on machine 192.168.2.254:
> | route add -net 192.168.1.0/24 gw 10.8.0.1
>
> That should do the trick :)
>
> I'm not sure if these routes are sufficient on the VPN gateways, though,
> as I'm not familiar with how to setup this without using a shorewall :D
>

Michael,

Yes, the routes are effectively like this, or would be.

I'm using Linksys RV042 for VPN devices (and nothing else) and the tunnel
definition takes care of the site-to-site IP addresses - both public and
private subnet ranges. Then, its firewall settings are shut down tight to
only allow the intended tunnel traffic between the intended interfaces.

What you're telling me is that I have to also add a route pointing to the
local VPN address to reach the remote subnet. That could either be a static
route on each host or a route on a local gateway that all hosts point to.
That makes a lot of sense to me!

So, just to test my understanding and to be clear:

If I want to destine a packet for the remote subnet in general there would
have to be a route like this (from above):
Route to set on machine 192.168.1.1:
| route add -net 192.168.2.0/24 gw 192.168.1.254

OR

If I want to destine packets for the remote subnet in general, and if
there's a gateway / router at 192.168.1.99, then there could be a route like
this (from above):
Route to set on machine 192.168.1.99:
| route add -net 192.168.2.0/24 gw 192.168.1.254

NOW, and this is important ......

If I want to destine a packets for a a "further remote / private" subnet
known only to a router on the remote subnet then there would have to be a
route like the one above pointing to the router that knows the next hop.
So, for a destination of 192.168.3.x via the 192.168.2.x subnet: and
specifically 192.168.2.99 (a router)

Route to set on machine 192.168.1.99 (gateway / router):
route add -p 192.168.3.0 mask 255.255.255.0 gw 192.168.1.254 (vpn) next hop

hmmmmm.... I guess I don't know how to do this if the VPN device won't also
route and only bridges the two LANs.
Can the .99 router have both:
| route add -p 192.168.2.0/24 gw 192.168.1.254
AND
| route add -p 192.168.3.0/24 gw 192.168.2.99 ???

Will the second route be subject to the first route?
I don't think so... !

Yet, this is what I need to do. Any suggestions?


Then there need to be return paths:

Route to set on machine 192.168.2.99
route add -p 192.168.1.0 mask 255.255.255.0 gw 192.168.2.254

I think this is the only return path needed within the two subnets on the
VPN.

Sound right to you?

Thanks,

Fred












Similar ThreadsPosted
Setting up site to site VPNs February 25, 2006, 3:10 pm
Checpoint VPN Edge to Linksys BEFVP41 site to site February 15, 2005, 7:32 am
Sonicwall Site to Site VPNand Active Directory March 24, 2005, 11:42 am
Cisco Site to Site VPN. Is it possible to join domain over VPN connection? October 8, 2007, 7:09 pm
Aweful Cisco site to Site vpn - outlook 2003 November 11, 2007, 5:28 pm
cisco 1811 looses connectivity ( site to site vpn ) November 16, 2007, 8:34 pm
REQ: Low-end site-to-site VPN router that does split tunneling October 13, 2005, 10:53 pm
How to Configure Site-to-Site VPN in Cisco Routers May 2, 2007, 5:31 am
RV042 / SSG-5 site-to-site Advice Needed November 20, 2007, 10:49 am
VPN site to site explanation needed June 15, 2005, 4:31 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map