Hi Stefaan, To avoid confusion, let us disucss on your initial diagram: > > > > 192.168.1.0/24 > > vvv > > LAN-A -------- [ISA-A] ---+ > > 192.168.22.0/24 .10 ! > > +--- [RTR] --- Internet > > ! .1 > > .30 ! > > [RTR-B] > > ! .1 > > .10 ! > > LAN-B -------- [ISA-B] ---+ > > 192.168.44.0/24 ^^^ > > 192.168.11.0/24 > > > > > > On ISA-A: > > --------- > > > > Remote Site Network contains: > > - 192.168.11.10/32 > > - 192.168.44.0/24 > > > > Default gateway: 192.168.1.1 > > > > Static routes configured: > > - 192.168.11.0/24 Gateway 192.168.1.30 > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ??? The question is why that addtional static route 192.168.44.0/24 Gateway 192.168.1.30 is needed? Then I provide answer as per > > After various lab test by me and also other ISA fans, we suspect in our > > environment, you can add up a static route from upstream router to ISA-B's > > external NIC. This is becuase > > - no route tale change at ISA after enable S2S IPsec Tunnel VPN > > - ISA decides route before processing ESP > > - ESP is sent based on fixed route when packet exit ISA. > > - when upstream router receive ESP heading for ISA-B's exernal NIC, it has > > no route information at all! > > > > To addup a static route at ISA-A to ISA-B's internal network ID is one of > > soultion based on above reason. However, is it more proper to set up > > /adjust > > route setting at upstream router? or any reason like security concern is > > there making impossible? If the route decision should be made on the outer IP header of the tunnel (as I understand before seeing your post), it is no need to add up that static route on route table entry at ISA-A, isn't it? However, you need a help of one more static route to instruct ISA-A go for right route path before sending ESP. Thanks, Roy Tsao > Hi Roy, > > I'm not sure I understand your question!?!? > > If I'm the administrator of ISA-A, I define the remote network > 192.168.44.0/24 as reachable through the tunnel endpoint 192.168.1.30. Now, > 192.168.1.0/24 is a directly connected network. Why do I need to create a > static route for 192.168.44.0/24 with Gateway 192.168.1.30 before it works? > > Thanks, > Stefaan > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > Sent: zondag 8 januari 2006 14:12 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? > > http://www.ISAserver.org > > Hi Stefaan, > > Let us cencer on your initial diagrams you illustruated. > In case the S2S VPN is within the protected network of ISA, it would be > another story. > > If your saying "The route decision should be made on the outer IP header" > is correct, why you need to addup a static route from ISA-A to internal > network ID of ISA-B, then why you ask for this question?? > > Thanks, > > Roy Tsao > > > Hi Roy, > > > > You wrote "ISA decides route before processing ESP". That would be a > > very stupid way of determining the route! The route decision should be > > made on the outer IP header (the tunnel) and not on the inner IP > > header (the encapsulated traffic). In my case the remote tunnel > > endpoint is on a direct connected network. So, the router RTR shouldn't be > envolved at all. > > > > As an example, two more diagrams were a S2S VPN connection is needed > > through a partner connection: > > > > +--- [RT1] --- Internet > > LAN --- [ISA] ---+ > > +--- [RT2] --- Partner Network > > > > > > LAN --- [ISA] --- [RT1] --- Internet > > ! > > +------ [RT2] --- Partner Network > > > > > > Thanks, > > Stefaan > > > > > > -----Original Message----- > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > Sent: zondag 8 januari 2006 9:24 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? > > > > http://www.ISAserver.org > > > > > > Hi Stefaan, > > > > After various lab test by me and also other ISA fans, we suspect in our > > environment, you can add up a static route from upstream router to ISA-B's > > external NIC. This is becuase > > - no route tale change at ISA after enable S2S IPsec Tunnel VPN > > - ISA decides route before processing ESP > > - ESP is sent based on fixed route when packet exit ISA. > > - when upstream router receive ESP heading for ISA-B's exernal NIC, it has > > no route information at all! > > > > To addup a static route at ISA-A to ISA-B's internal network ID is one of > > soultion based on above reason. However, is it more proper to set up > adjust > > route setting at upstream route? or any reason like security concern is > > there making impossible? > > > > As for your 2nd test scenario, may I understand the failure is due to > > diabled packet relay at router side? > > > > > > > > > Hi Jim, > > > > > > OK, I took up the challenge and replaced ISA-B with a Windows 2003 > > > RRAS server :-) > > > > > > With the help of > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I > > > configured an IPSec tunnel to the ISA-A. Guess what... you are right! > > > I found exact the same behavior. > > > > > > I even simplified further the test environment as follows: > > > > > > 192.168.1.0/24 > > > vvv > > > LAN-A -------- [ISA-A] ---+ > > > 192.168.22.0/24 .10 ! > > > +--- [RTR] --- Internet > > > ! .1 > > > .30 ! > > > LAN-B -------- [ISA-B] ---+ > > > 192.168.44.0/24 > > > > > > > > > On ISA-A: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.1.30/32 > > > - 192.168.44.0/24 > > > > > > If Default gateway = 192.168.1.1 then the static route > > > '192.168.44.0/24 Gateway 192.168.1.30' is needed. > > > If Default gateway = 192.168.1.30 then no static routes are needed. > > > > > > > > > On ISA-B: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.1.10/32 > > > - 192.168.22.0/24 > > > > > > If Default gateway = 192.168.1.1 then the static route > > > '192.168.22.0/24 Gateway 192.168.1.10' is needed. > > > If Default gateway = 192.168.1.10 then no static routes are needed. > > > > > > > > > Thanks, > > > Stefaan > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: dinsdag 27 december 2005 21:23 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > That is odd, but I'll bet you find that this behavior is the same > > > without ISA. > > > RRAS and the TCP/IP stack, not ISA, handle the actual packet routing. > > > > > > -------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > -------------------------------------------- > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > Sent: Tuesday, December 27, 2005 4:58 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] S2S VPN: why are static routes sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > Hi, > > > > > > it seems that if a S2S VPN connection of type IPSec Tunnel is used and > > > if the remote tunnel endpoint can't be reached through the default > > > gateway, then you need to create extra static routes for the remote > > > network ID's reachable through that remote tunnel endpoint. I don't > > > understand why this is needed? Take note that there were no problems > > > in setting up the IPSec MM and QM SA's! > > > > > > To explain it better, here is a little diagram of the lab setup: > > > > > > 192.168.1.0/24 > > > vvv > > > LAN-A -------- [ISA-A] ---+ > > > 192.168.22.0/24 .10 ! > > > +--- [RTR] --- Internet > > > ! .1 > > > .30 ! > > > [RTR-B] > > > ! .1 > > > .10 ! > > > LAN-B -------- [ISA-B] ---+ > > > 192.168.44.0/24 ^^^ > > > 192.168.11.0/24 > > > > > > > > > On ISA-A: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.11.10/32 > > > - 192.168.44.0/24 > > > > > > Default gateway: 192.168.1.1 > > > > > > Static routes configured: > > > - 192.168.11.0/24 Gateway 192.168.1.30 > > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ??? > > > > > > > > > On ISA-B: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.1.10/32 > > > - 192.168.22.0/24 > > > > > > Default Gateway: 192.168.11.1 > > > > > > No static routes configured. > > > > > > > > > Test: > > > ----- > > > > > > From a host on LAN-B ping a host on LAN-A. Without the static route > > > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping > > > request and reply on LAN-A but the reply never makes it back to LAN-B. > > > The ping reply just disappeared into thin air! Creating the static > > > route and bingo, it works. What's the logic behind this behavior? > > > > > > > > > Thanks, > > > Stefaan