RE: S2S VPN: why are static routes sometimes needed?
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 10 Jan 2006 22:07:27 +0100
Hey guys,
For those interested, check out
http://forums.isaserver.org/m_2002001759/mpage_1/key_/tm.htm#2002003039.
A feature or a bug ? ;-)
Thanks,
Stefaan
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: zondag 8 januari 2006 12:06
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
http://www.ISAserver.org
Hi Roy,
You wrote "ISA decides route before processing ESP". That would be a very
stupid way of determining the route! The route decision should be made on
the outer IP header (the tunnel) and not on the inner IP header (the
encapsulated traffic). In my case the remote tunnel endpoint is on a direct
connected network. So, the router RTR shouldn't be envolved at all.
As an example, two more diagrams were a S2S VPN connection is needed through
a partner connection:
+--- [RT1] --- Internet
LAN --- [ISA] ---+
+--- [RT2] --- Partner Network
LAN --- [ISA] --- [RT1] --- Internet
!
+------ [RT2] --- Partner Network
Thanks,
Stefaan
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: zondag 8 januari 2006 9:24
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
http://www.ISAserver.org
Hi Stefaan,
After various lab test by me and also other ISA fans, we suspect in our
environment, you can add up a static route from upstream router to ISA-B's
external NIC. This is becuase
- no route tale change at ISA after enable S2S IPsec Tunnel VPN
- ISA decides route before processing ESP
- ESP is sent based on fixed route when packet exit ISA.
- when upstream router receive ESP heading for ISA-B's exernal NIC, it has
no route information at all!
To addup a static route at ISA-A to ISA-B's internal network ID is one of
soultion based on above reason. However, is it more proper to set up adjust
route setting at upstream route? or any reason like security concern is
there making impossible?
As for your 2nd test scenario, may I understand the failure is due to
diabled packet relay at router side?
> Hi Jim,
>
> OK, I took up the challenge and replaced ISA-B with a Windows 2003
> RRAS server :-)
>
> With the help of
> http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I
> configured an IPSec tunnel to the ISA-A. Guess what... you are right!
> I found exact the same behavior.
>
> I even simplified further the test environment as follows:
>
> 192.168.1.0/24
> vvv
> LAN-A -------- [ISA-A] ---+
> 192.168.22.0/24 .10 !
> +--- [RTR] --- Internet
> ! .1
> .30 !
> LAN-B -------- [ISA-B] ---+
> 192.168.44.0/24
>
>
> On ISA-A:
> ---------
>
> Remote Site Network contains:
> - 192.168.1.30/32
> - 192.168.44.0/24
>
> If Default gateway = 192.168.1.1 then the static route
> '192.168.44.0/24 Gateway 192.168.1.30' is needed.
> If Default gateway = 192.168.1.30 then no static routes are needed.
>
>
> On ISA-B:
> ---------
>
> Remote Site Network contains:
> - 192.168.1.10/32
> - 192.168.22.0/24
>
> If Default gateway = 192.168.1.1 then the static route
> '192.168.22.0/24 Gateway 192.168.1.10' is needed.
> If Default gateway = 192.168.1.10 then no static routes are needed.
>
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: dinsdag 27 december 2005 21:23
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
>
> http://www.ISAserver.org
>
> That is odd, but I'll bet you find that this behavior is the same
> without ISA.
> RRAS and the TCP/IP stack, not ISA, handle the actual packet routing.
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Tuesday, December 27, 2005 4:58 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] S2S VPN: why are static routes sometimes needed?
>
> http://www.ISAserver.org
>
> Hi,
>
> it seems that if a S2S VPN connection of type IPSec Tunnel is used and
> if the remote tunnel endpoint can't be reached through the default
> gateway, then you need to create extra static routes for the remote
> network ID's reachable through that remote tunnel endpoint. I don't
> understand why this is needed? Take note that there were no problems
> in setting up the IPSec MM and QM SA's!
>
> To explain it better, here is a little diagram of the lab setup:
>
> 192.168.1.0/24
> vvv
> LAN-A -------- [ISA-A] ---+
> 192.168.22.0/24 .10 !
> +--- [RTR] --- Internet
> ! .1
> .30 !
> [RTR-B]
> ! .1
> .10 !
> LAN-B -------- [ISA-B] ---+
> 192.168.44.0/24 ^^^
> 192.168.11.0/24
>
>
> On ISA-A:
> ---------
>
> Remote Site Network contains:
> - 192.168.11.10/32
> - 192.168.44.0/24
>
> Default gateway: 192.168.1.1
>
> Static routes configured:
> - 192.168.11.0/24 Gateway 192.168.1.30
> - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
>
>
> On ISA-B:
> ---------
>
> Remote Site Network contains:
> - 192.168.1.10/32
> - 192.168.22.0/24
>
> Default Gateway: 192.168.11.1
>
> No static routes configured.
>
>
> Test:
> -----
>
> From a host on LAN-B ping a host on LAN-A. Without the static route
> '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping
> request and reply on LAN-A but the reply never makes it back to LAN-B.
> The ping reply just disappeared into thin air! Creating the static
> route and bingo, it works. What's the logic behind this behavior?
>
>
> Thanks,
> Stefaan
Other related posts:
