RE: S2S VPN: why are static routes sometimes needed?

  • From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 27 Dec 2005 14:42:39 +0100

Hi Tom, 

Yeah I know, you've said that over and over again! But the reality is that
the remote site's gateway in our customers environment will very likely not
be an ISA server. So, I have to learn to do it the 'bad' way ;-)

Thanks, 
Stefaan 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: dinsdag 27 december 2005 14:33
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

Hi Stefaan,

I don't know all the details, but I do know that routing support for IPSec
tunnel mode in problematic, and one of the reasons why its not recommended,
especially if you're connecting two ISA firewalls. If ISA firewalls are on
each side, you should be using L2TP/IPSec to get better routing support.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Tuesday, December 27, 2005 6:58 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] S2S VPN: why are static routes sometimes needed?
> 
> http://www.ISAserver.org
> 
> Hi,
> 
> it seems that if a S2S VPN connection of type IPSec Tunnel is used and 
> if the remote tunnel endpoint can't be reached through the default 
> gateway, then you need to create extra static routes for the remote 
> network ID's reachable through that remote tunnel endpoint. I don't 
> understand why this is needed? Take note that there were no problems 
> in setting up the IPSec MM and QM SA's!
> 
> To explain it better, here is a little diagram of the lab setup: 
> 
>                       192.168.1.0/24
>                            vvv
>   LAN-A -------- [ISA-A] ---+
> 192.168.22.0/24         .10 !
>                             +--- [RTR] --- Internet
>                             !  .1
>                         .30 !
>                          [RTR-B]
>                             ! .1
>                         .10 !
>   LAN-B -------- [ISA-B] ---+
> 192.168.44.0/24            ^^^
>                       192.168.11.0/24
> 
> 
> On ISA-A:
> ---------
> 
> Remote Site Network contains: 
> - 192.168.11.10/32
> - 192.168.44.0/24
> 
> Default gateway: 192.168.1.1
> 
> Static routes configured:
> - 192.168.11.0/24 Gateway 192.168.1.30
> - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
> 
> 
> On ISA-B:
> ---------
> 
> Remote Site Network contains: 
> - 192.168.1.10/32
> - 192.168.22.0/24
> 
> Default Gateway: 192.168.11.1
> 
> No static routes configured. 
> 
> 
> Test:
> -----
> 
> From a host on LAN-B ping a host on LAN-A. Without the static route
> '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping 
> request and reply on LAN-A but the reply never makes it back to LAN-B. 
> The ping reply just disappeared into thin air! Creating the static 
> route and bingo, it works. What's the logic behind this behavior?
> 
> 
> Thanks,
> Stefaan
> 



Other related posts: