RE: S2S VPN: why are static routes sometimes needed?
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Sun, 8 Jan 2006 19:30:36 -0700
Hi Stefaan,
To avoid confusion, let us disucss on your initial diagram:
> >
> > 192.168.1.0/24
> > vvv
> > LAN-A -------- [ISA-A] ---+
> > 192.168.22.0/24 .10 !
> > +--- [RTR] --- Internet
> > ! .1
> > .30 !
> > [RTR-B]
> > ! .1
> > .10 !
> > LAN-B -------- [ISA-B] ---+
> > 192.168.44.0/24 ^^^
> > 192.168.11.0/24
> >
> >
> > On ISA-A:
> > ---------
> >
> > Remote Site Network contains:
> > - 192.168.11.10/32
> > - 192.168.44.0/24
> >
> > Default gateway: 192.168.1.1
> >
> > Static routes configured:
> > - 192.168.11.0/24 Gateway 192.168.1.30
> > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
The question is why that addtional static route 192.168.44.0/24 Gateway
192.168.1.30 is needed?
Then I provide answer as per
> > After various lab test by me and also other ISA fans, we suspect in our
> > environment, you can add up a static route from upstream router to ISA-B's
> > external NIC. This is becuase
> > - no route tale change at ISA after enable S2S IPsec Tunnel VPN
> > - ISA decides route before processing ESP
> > - ESP is sent based on fixed route when packet exit ISA.
> > - when upstream router receive ESP heading for ISA-B's exernal NIC, it has
> > no route information at all!
> >
> > To addup a static route at ISA-A to ISA-B's internal network ID is one of
> > soultion based on above reason. However, is it more proper to set up
> > /adjust
> > route setting at upstream router? or any reason like security concern is
> > there making impossible?
If the route decision should be made on the outer IP header of the tunnel
(as I understand before seeing your post), it is no need to add up that
static route on route table entry at ISA-A, isn't it? However, you need a
help of one more static route to instruct ISA-A go for right route path
before sending ESP.
Thanks,
Roy Tsao
> Hi Roy,
>
> I'm not sure I understand your question!?!?
>
> If I'm the administrator of ISA-A, I define the remote network
> 192.168.44.0/24 as reachable through the tunnel endpoint 192.168.1.30. Now,
> 192.168.1.0/24 is a directly connected network. Why do I need to create a
> static route for 192.168.44.0/24 with Gateway 192.168.1.30 before it works?
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: zondag 8 januari 2006 14:12
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
>
> http://www.ISAserver.org
>
> Hi Stefaan,
>
> Let us cencer on your initial diagrams you illustruated.
> In case the S2S VPN is within the protected network of ISA, it would be
> another story.
>
> If your saying "The route decision should be made on the outer IP header"
> is correct, why you need to addup a static route from ISA-A to internal
> network ID of ISA-B, then why you ask for this question??
>
> Thanks,
>
> Roy Tsao
>
> > Hi Roy,
> >
> > You wrote "ISA decides route before processing ESP". That would be a
> > very stupid way of determining the route! The route decision should be
> > made on the outer IP header (the tunnel) and not on the inner IP
> > header (the encapsulated traffic). In my case the remote tunnel
> > endpoint is on a direct connected network. So, the router RTR shouldn't be
> envolved at all.
> >
> > As an example, two more diagrams were a S2S VPN connection is needed
> > through a partner connection:
> >
> > +--- [RT1] --- Internet
> > LAN --- [ISA] ---+
> > +--- [RT2] --- Partner Network
> >
> >
> > LAN --- [ISA] --- [RT1] --- Internet
> > !
> > +------ [RT2] --- Partner Network
> >
> >
> > Thanks,
> > Stefaan
> >
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: zondag 8 januari 2006 9:24
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Stefaan,
> >
> > After various lab test by me and also other ISA fans, we suspect in our
> > environment, you can add up a static route from upstream router to ISA-B's
> > external NIC. This is becuase
> > - no route tale change at ISA after enable S2S IPsec Tunnel VPN
> > - ISA decides route before processing ESP
> > - ESP is sent based on fixed route when packet exit ISA.
> > - when upstream router receive ESP heading for ISA-B's exernal NIC, it has
> > no route information at all!
> >
> > To addup a static route at ISA-A to ISA-B's internal network ID is one of
> > soultion based on above reason. However, is it more proper to set up
> adjust
> > route setting at upstream route? or any reason like security concern is
> > there making impossible?
> >
> > As for your 2nd test scenario, may I understand the failure is due to
> > diabled packet relay at router side?
> >
> >
> >
> > > Hi Jim,
> > >
> > > OK, I took up the challenge and replaced ISA-B with a Windows 2003
> > > RRAS server :-)
> > >
> > > With the help of
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I
> > > configured an IPSec tunnel to the ISA-A. Guess what... you are right!
> > > I found exact the same behavior.
> > >
> > > I even simplified further the test environment as follows:
> > >
> > > 192.168.1.0/24
> > > vvv
> > > LAN-A -------- [ISA-A] ---+
> > > 192.168.22.0/24 .10 !
> > > +--- [RTR] --- Internet
> > > ! .1
> > > .30 !
> > > LAN-B -------- [ISA-B] ---+
> > > 192.168.44.0/24
> > >
> > >
> > > On ISA-A:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.30/32
> > > - 192.168.44.0/24
> > >
> > > If Default gateway = 192.168.1.1 then the static route
> > > '192.168.44.0/24 Gateway 192.168.1.30' is needed.
> > > If Default gateway = 192.168.1.30 then no static routes are needed.
> > >
> > >
> > > On ISA-B:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.10/32
> > > - 192.168.22.0/24
> > >
> > > If Default gateway = 192.168.1.1 then the static route
> > > '192.168.22.0/24 Gateway 192.168.1.10' is needed.
> > > If Default gateway = 192.168.1.10 then no static routes are needed.
> > >
> > >
> > > Thanks,
> > > Stefaan
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: dinsdag 27 december 2005 21:23
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
> > >
> > > http://www.ISAserver.org
> > >
> > > That is odd, but I'll bet you find that this behavior is the same
> > > without ISA.
> > > RRAS and the TCP/IP stack, not ISA, handle the actual packet routing.
> > >
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Tuesday, December 27, 2005 4:58 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] S2S VPN: why are static routes sometimes needed?
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi,
> > >
> > > it seems that if a S2S VPN connection of type IPSec Tunnel is used and
> > > if the remote tunnel endpoint can't be reached through the default
> > > gateway, then you need to create extra static routes for the remote
> > > network ID's reachable through that remote tunnel endpoint. I don't
> > > understand why this is needed? Take note that there were no problems
> > > in setting up the IPSec MM and QM SA's!
> > >
> > > To explain it better, here is a little diagram of the lab setup:
> > >
> > > 192.168.1.0/24
> > > vvv
> > > LAN-A -------- [ISA-A] ---+
> > > 192.168.22.0/24 .10 !
> > > +--- [RTR] --- Internet
> > > ! .1
> > > .30 !
> > > [RTR-B]
> > > ! .1
> > > .10 !
> > > LAN-B -------- [ISA-B] ---+
> > > 192.168.44.0/24 ^^^
> > > 192.168.11.0/24
> > >
> > >
> > > On ISA-A:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.11.10/32
> > > - 192.168.44.0/24
> > >
> > > Default gateway: 192.168.1.1
> > >
> > > Static routes configured:
> > > - 192.168.11.0/24 Gateway 192.168.1.30
> > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
> > >
> > >
> > > On ISA-B:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.10/32
> > > - 192.168.22.0/24
> > >
> > > Default Gateway: 192.168.11.1
> > >
> > > No static routes configured.
> > >
> > >
> > > Test:
> > > -----
> > >
> > > From a host on LAN-B ping a host on LAN-A. Without the static route
> > > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping
> > > request and reply on LAN-A but the reply never makes it back to LAN-B.
> > > The ping reply just disappeared into thin air! Creating the static
> > > route and bingo, it works. What's the logic behind this behavior?
> > >
> > >
> > > Thanks,
> > > Stefaan
Other related posts:
